“Calhoun 


Institutional Archive of the Naval Postgraduate School 





Calhoun: The NPS Institutional Archive 
DSpace Repository 


Theses and Dissertations 1. Thesis and Dissertation Collection, all items 


1993-03 


A formal protocol test procedure for the 
Survivable Adaptable Fiber Optic Embedded 
Network (SAFENET) 


High, Wayne 


Monterey, California. Naval Postgraduate School 
http://hdl.handle.net/10945/39864 


This publication is a work of the U.S. Government as defined in Title 17, United 
States Code, Section 101. Copyright protection is not available for this work in the 
United States. 


Downloaded from NPS Archive: Calhoun 


Calhoun is the Naval Postgraduate School's public access digital repository for 


\§ D U DL EY research materials and institutional publications created by the NPS community. 
«iit Calhoun is named for Professor of Mathematics Guy K. Calhoun, NPS's first 


NY KNOX appointed -- and published -- scholarly author. 


LIBRARY Dudley Knox Library / Naval Postgraduate School 
411 Dyer Road / 1 University Circle 


http://www.nps.edu/library Monterey, California USA 93943 


NAVAL POSTGRADUATE SCHOOL 
Monterey, California 


AD-A267 410 . 
A eee | DTIC 


ELECTE 
AUG 4 1993 


C 





THESIS 











A FORMAL PROTOCOL TEST PROCEDURE 
FOR THE SURVIVABLE ADAPTABLE FIBER 
OPTIC EMBEDDED NETWORK 
(SAFENET) 






by 
Wayne High 


March 1993 





rhesis Advisor: G. M. Lundy 


Approved for public release; distribution is unlimited. 


93-17362 
ATL ASHE ; 


PCS 9 3 8 3 0 8 3 





UNCLASSIFIED 


SECURITY CLASSIFICATION OF THIS PAGE 


Approved tor public release: 
distribution is unlimited 


Gq NAME OF BEEFORMNG ORGANZATON [60 OFECE SYMBOL 
mputer Science Dept. “if appiicable) 


Naval Postgraduate School CS 


6c. ADORESS (City, State. and ZIP Code; 7b ADDRESS /City. State. and ZIP Code} 
. \ , i + a ~ a 
Monterey, CA 93943-5000 Monterey, CA 93943-5000 


Ba. NAME O UND OC i 8b OFFI MBOL 
ORGANIZATION “if applicable) 


8c. ADDRESS (City, State. and ZIP Code) NDING NUMBER 


GRAM PROJE ASK WORK UNI 
ELEMENT NO NO NO ACCESSION NO. 


11. TITLE (include Security Classification) 
A FORMAL PROTOCOL TEST PROCEDURE FOR THE SURVIVABLE ADAPTABLE FIBER 
OPTIC EMBEDDED NETWORK (SAFENET) (U) 

BEMOONAL AUTHOR 

ayne ite gi 


a. TYPE OF REPO T30 TIME COVERED 


16. SU MENTARY NOTATION 


policy or position of the Department of Defense or the United States Government. 


17. COSAT! CODES 18 SUBJECT TERMS (Continue on reverse if necessary and identify by block number) 


SAFENET profile specification, conformance testing 
a See eee 
See 

19. ABSTRACT (Continue on reverse if necessary and identify by block number) 

This thesis focuses upon a new method for verifying the correct operation of a complex, high speed fiber optic communication network. 
These networks are of growing importance to the military because of their increased connectivity, survivability, and reconfigurability. With 
the introduction and increased dependence on sophisticated software and protocols, it is essential that their operation be correct. Because of 
the speed and complexity of fiber optic networks being designed today, they are becoming increasingly difficult to test. Previously, testing 
was accomplished by application of conformance test methods which had little connection with a implementation’s specification. The major 
goal of conformance testing is to ensure that the implementauon of a prolile is consistent with ils specification. Formal specification is needed 
to ensure that the implementation performs its intended operauions while exhibiung desirable behaviors. The new conformance test method 
presented is based upon the System of Communicating Machine model which uses a formal protocol specification to generate a test sequence. 

The major contribution of this thesis is the application of the System of Communicating Machine model to formal profile specifications 
of the Survivable Adaptable Fiber Optic Embedded Network (SAFENET) standard which results in the derivation of test sequences for a 
SAFENET profile. The results of applying this new method to SAFENET’s OSI and Lightweight profiles are presented. 


AILAB Y OF ABSTHA 1 ABSTRA HITY CLA ATION 
SSIFIED/UNLIMITED (CJ SAME As RPT CJ oTic USERS UNCLASSIFIED 


PONSIBLE INDIVIDUAL 22b TELEPHONE (include Area Code) e), BO 
(408) 656-2094 


OO FORM 1473, 84 MAR 83 APR edition may be used until exhausted SECURITY CLASSIFICATION OF THIS PAGE 
All other editions are SRSOES UNCLASSIFIED 





Approved for public release; distribution is unlimited 


A FORMAL PROTOCOL TEST PROCEDURE 
FOR THE SURVIVABLE ADAPTABLE FIBER 
OPTIC EMBEDDED NETWORK 
(SAFENET) 


by 
Wayne High 
Lieutenant, United States Navy 
B.S. Computer Science, University of South Carolina, 1986 


Submitted in partial fulfillment of the 
requirements for the degree of 


MASTER OF COMPUTER SCIENCE 


from the 


NAVAL POSTGRADUATE SCHOOL 
March 1993 





Author: 
Wayne'High 


Approved By: 











ABSTRACT 

This thesis focuses upon a new method for verifying the correct operation of a complex, 
high speed fiber optic communication network. These networks are of growing importance 
to the military because of their increased connectivity, survivability, and reconfigurability. 
With the introduction and increased dependence on sophisticated software and protocols, 
it is esscrtial that their operation be correct. Because of the speed and complexity of fiber 
optic communication networks being designed today, they are becoming increasingly 
difficult to test. Previously, testing was accomplished by application of conformance test 
methods which had little connection with an implementation’s specification. The major 
goal of conformance testing is to ensure that the implementation of a profile is consistent 
with its specification. Formal specification is needed to ensure that the implementation 
performs its intended operations while exhibiting desirable behaviors. The new 
conformance test method presented is based upon the System of Communicating Machirie 
model which uses a formal protocol specification of the implementation to generate a test 
sequence. 
The major contribution of this thesis is the application of the System of Communicating 
Machine model to formal profile specifications of the Survivable Adaptable Fiber Optic 
Embedded Network (SAFENET) standard which results in the derivation of test sequences 


for a SAFENET profile. The results of applying this new method to SAFENET’s OSI and 












Lightweight profiles are presented. 





DTIC TAB 
Urannounced 
Justtication oe 









DTIC QUALITY INSPECTED 3 | By 
Distributions 


iii | ALT angso 
Svecral 


6 \ 





| 
Pat 


“Accesion For c= 
NTIS CRA! 


Plies Soe ae 


= 


Avollebility Codes 


-———-~-4 


| 


i 


Jt 





TABLE OF CONTENTS 


I INTRODUCTION wiicccnaniiiiuteremen ier araivaasiiaksgemnosaeauneRoawieaene 1 
Bass, “SMTRPOS EE sissies esi ae ova ceeee pis cna eatnend tata ten nealing tee ceadeces 1 fs 
Be. “BACKGROUND ftp egagees cccsesdciecsesci Gecevessacastecvidesbeedisaanswiete eects 2 
Cy CCON TENTS secscssicvosteistincserisierinars eta sesnieeens talons nekesaniesiadxeaee avgiscoenee areas 3 : 
{. \FDDEBACKGROUND iii: sinc tenisnecaneraciennuied deerme dicen ne 4 
HI, “SAFENBT BACKGROUND ii5cssnsscyeapstedstaescosiesaysiseavesactasstdsneailameaavicr auenbboaes 9 
Az SERVICE PARTITIONS . pscecivcssssieaessiovsetsesiscechtneedssrisatarrGelenodeaaatareebonnss 9 
B.. “PROTOCOL SUITES wescsccs cas onset cvesssvaxies opssesesutpssscuncviensedntenstaneyevecosedearvadacvek 10 
Ci SAPENET TOPOQUOG Y 'saisiassicetectecctinauiiaiealasnstdessaeltanctem etaaeanauiedeetl 16 
D. SAFENET FIBER OPTIC DEVELOPMENT. ............cccccccsssssssesescsseesseneesees 16 
IV. “THE. SAFENET STANDARD 3 sic. cssssssvcasessstesasnclisasaisasavransaneisasersiVisacacsoederecbsdaceloces 19 
A. THE SAFENET STANDARD AND ITS TESTABLLITY..................ccccs00 19 
B. PROBLEMS WITH THE CURRENT SAFENET STANDARD.................. 20 
YY... TESTING FIBER OPTIC LENKS osc iesscatcsvedessessssanlorcsascdessveoonscasbosiassis seals naseies 25 
A: LOSS BUDGET iswadacierdiencnncid alan tiotamieitnnaaceleas 26 
B. (SYSTEM THROUGHPUT 'scssscsscscconcssss shavacasesiaceshadeteuatiaisbindveaceleecsravenssent 27 
1. Clock Accuracy Verification ...........tcssscscssescscsssessscsscsssesscsecsesssereees 28 
2; . “Dinning Pest Procedure ssiciisisss cans aveicnts dates atin cueatvateneintustinas 28 
VI. TESTING SAFENET’S IMPLEMENTATION PROFILES ..............cccccccscssssseesees 30 
Ais. “REST METHOD iiivicecosiccssag staan iasdunigic hershheo nan taemimiadaarhies 30 
Li,” “Preliminary Steps asses 5 o0caiesscanketesacescsn ted niapnestghoanorsarasiandeatesetarsivens 31 
2. Test Sequence Generating Procedure ..............ceeseseeseseseeeeseceseseseeeeees 32 
Bin GREPMING Step rs caticdcience, st tasccemieancuaedasgn dpe eeeaaetwlaeucnn 34 
B. APPLICATION OF TEST METHOD ............:.cccssscssscesesssssseseeessecereeeseseetseses 35 
B.. “OSP Profile: Speciation a5jjosccses. cece ekeretscctcaeisvste lave odoossersssuvaeseaeneied 35 
2. OST Test Sequence Generation ...........ccccccssscsesscseetsssessesesectcecestsees 43 
Bs~. - PTO MMINARY-StCOS sess wdoscisavsize ss vcceurcstderssinsssaneanteaseerbaacuss 43 
b. Test Sequence Generation ...............eceescssessessesecesseerseccteeseesenenses 44 
3. Lightweight Profile Specification ................sssssscscesessecceessesseseeseeeeeees 50 
4. Lightweight Test Sequence Generation ..............cccssseeesesceseeesetereeees 56 
a: -, Preliminary: Steps oii. os cetssci cessed ceasascedensrssbeacsxencasenccceasaeeeotdannveasins 56 
De - Fest Sequence Generation ...iseccisscosssessesdea sesasigescctertsecesetenscaaelas 57 
VII. CONCLUSIONS AND RECOMMENDATION G ...........cccsscssssssscssscssssssessssenessnsees 61 
A. CONTRIBUTIONS OF THIS RESEARCH ............:cscsssssssssssesssssesesscessenenees 61 
B. AREAS FOR FURTHER RESEARCH .........cccsscssscessssseseeseetsceeneceeeseaeees 62 
POPPEINDUY, sidiastessnisursrcchein actitstacdetstanca tas einlis dara tenaees olen masaasiates 63 
LIST-OF REFERENCE sssdcsciieasds peiccoeadaitins exclaimed eaccatistigunter 111 
INITIAL DISTRIBUTION LIST 00.00... cessssssesessetseseceessscestseteseseeseesssenees 113 





LIST OF TABLES 


Table: 1, OST PREDICATE-ACTIONS scsscssnisssssertcccedeadssanattociasasdanccecesendzenerte 42 
Table 2, TEST SEQUENCE FOR THE OSI PROFILE ......0....ceeeeeceseseseeees 46 
Table 3, LIGHTWEIGHT PREDICATE-ACTIONS..........cceseeeseeceeeseteeee 52 
Table 4, TEST SEQUENCE FOR THE LIGHTWEIGHT PROFILE ........... 58 





LIST OF FIGURES 


Figure 1, Typical FDDI configuration... les cctceetecnenesteeessesseseeseseaee 5 
Figure 2, FDDI Frame Fortmat.......:.c:.c.ssescssssesconsscsnsnovassessceaisestesseassecesecssesteacee 7 
Figure 3, SAFENET Protocol Profile... ceessssscsscessesseecescscceseeteeeseereenes 8 
Figure 4, Overview of the OST Profile..............:ccscssscssscesscesecesesessseascetseeereeens 12 
Figure 5, Overview of the Lightweight Profile ..............cescsssssssssesecsterseeeeees 14 
Figure 6, Overview of the Combined Profile ..................ccsccsssssssessseseceteeeseees 15 
Figure 7, An overview of component systems comprising SAFENET.......... 17 
Figure 8, OSI Profile Specification ...........cccccccsssssseeceesessesceersnseacceessesesaneees 38 
Figure 9, OSI Network Node Data Structurre.............ccssesscssscssesssessseeeseeeeeeres 41 
Figure 10, Lightweight Profile Specification .............scsessscssessssssseersesseeceses 53 
Figure 11, Lightweight Network Node Data Structure .0.....0. ce eeseeteee ees 55 


vi 








I. INTRODUCTION 


A. PURPOSE 
The Survivable Adaptable Fiber Optic Embedded Network (SAFENET) is part of the 


United States Navy’s Next Generation Computer Resources (NGCR) program and 
represents an effort to meet the data transfer demands of current and future naval shipboard 
mission critical computer systems through development of standard computer network 
profiles. SAFENET represents a Local Area Network (LAN) grouping of standards, 
encompassing the seven ISO/OSI model layers. SAFENET is a program being researched 
and developed by a joint Navy-Industry working group to formulate standard commercial 
network methods to fit the requirements of the Navy’s various combat platforms. Whenever 
possible, the joint working group intends to select well developed industry standards. The 
Navy’s NGCR team is chartered to investigate methods for future shipboard hardware and 
software development to meet the Navy’s requirements of survivability, increased 
connectivity, performance and future system growth capabilities (GREE89] [HDBK92]. 
SAFENET is an effort to meet the needs of current and future systems used aboard the 
Navy’s combat ships, submarines, and aircraft. 

Over the course of time, network designers learned that ambiguous rules can trigger 
undesirable sequences of events which can have adverse effects on the best design; 
therefore, it is essential that communication networks and their protocols be adequately 
tested. Entire networks, with possibly hundreds or even thousands of attached computers 
can be rendered essentially useless by a faulty protocol or profile. With every passing day 
our society is becoming more dependent on communication networks and their protocols. 
Consequently, with so many lives and costly equipment at stake it is imperative to test these 
profiles and protocols to ensure that they perform as intended. This thesis presents a 


conformance test method that is based upon earlier work [MILL90]. In this thesis, the 


conformance test method utilized is based upon a formal specification. In addition, 





ee a 


applications of the test method using real world SAFENET profiles as examples will be 


demonstrated. 


B. BACKGROUND 


Currently, in the Navy, computers are usually found configured in point-to-point 
interfaces. However, the growing trend of distributed architectures in modern naval 
combat systems requires a greater degree of system integration than present point-to-point 
interfaces can support. As a result, the SAFENET standards are being developed to solve 
communications connectivity and system integration problems by providing the shipboard 
computers with the capability to communicate with multiple devices and application 
programs over a single Input/Output port through the use of a computer network and to 
provide future system growth capacity. 

To ensure that the elements of a complex communications network such as SAFENET 
communicate reliably once the system has been implemented, the protocols of the system 
should be verified against all system design requirements. In this manner, instances of 
incompleteness in a protocol specification can be located using protocol verification 
techniques. Provided formal specifications have been done, conformance testing is an 
essential step to ensuring accomplishment of intended functions without error. Effectively 
testing protocols with other software and hardware systems presents a difficult problem. 
Conformance testing’s major goal is to ensure that the implementation of the protocol is 
consistent with its specification. Therefore, it is highly advantageous that the specification 
be expressed in a formal model that has been formally verified. A recent paper by Miller 
(MILL90], pointed out the developing rift between specification and verification, and 
between these two and conformance testing. Protocol models, designed for specification 
purposes, tend to have powerful program language constructs, which simplify specification 


but leads to a higher degree of verification and analysis difficulty. The Communicating 


Finite State Machine (CFSM) model is too simple for the specification of modern, complex 





protocols because this protocol model is designed primanly with analysis in mind 


[LUND91]. 


C. CONTENTS 


This thesis attempts to bridge the gap between SAFENET specification and testing. 
Assuming that all SAFENET protocols are not available in a form convenient for testing, 
simplifying the difficulty associated with verification, analysis and testing, we start from a 
protocol model called Systems of Communicating Machines (SCM). A procedure is 
presented for the generation of a test sequence for a protocol specified in terms of the 
SAFENET model. Then, the SAFENET procedure is used to generate a test sequence for a 
SAFENET protocol implementation. 

The testing of any complex software is known to be a difficult problem, and this 
certainly applies to the testing of SAFENET protocols. Because SAFENET protocols are 
critical to so many systems, it is a problem which cannot be avoided or ignored. The 
procedure presented in this thesis does not detect all errors or combinations of errors. Only 
exhaustive testing can accomplish this, but substantial resources are required. The approach 
does, however represent an attempt to exercise a portion of a SAFENET protocol machine. 
thereby providing some assurance that the implementation fulfills its purpose. 

Presently, there are two standards under development SAFENET I and SAFENET II. 
This thesis focuses on SAFENET I which uses the American National Standards Institute 
(ANSD Fiber Distributed Data Interface (FDDI) LAN that operates at 100 Mbps. In the 
following chapter the FDDI standard is discussed. In Chapter II], the SAFENET Draft 
Standard is discussed followed by Chapter iv, which discusses problems found in the 
SAFENET Draft Standard. In Chapter V, the testing of fiber optic links is discussed. In 
Chapter VI, the test procedure is applied to the SAFENET protocol. The final chapter 


surmmarizes the thesis. 


ll. FDDI BACKGROUND 


The FDDI standard is focused on the comprehensive implementation of 
communications through fiber optics; with fiber optics, information is passed through 
moduiated beams of light on glass fiber rather than the more antiquated electronic pulses 
on copper wire. In large backbone Local Area Networks (LANs), FDDI has several 
advantages over copper wire. Fiber is oblivious to lightening strikes, to the Electro- 
Magnetic Pulse (EMP) phenomenon associated with nuclear detonations and to their 
resultant current surges that can damage connected equipment and cause safety hazards. 
Furthermore, fiber is not subject to radio or Electro-Magnetic Interference (EMI) and is 
generally less restrictive in its environment, requiring far less space in existing cable runs. 

FDDI utilizes two counter-rotating token rings. The typical FDDI configuration has 
the primary ring carrying data and the secondary ring being used for automatic bypass and 
recovery (Figure 1). Current networks in service are generally comprised of CSMA/CD 
protocols, which limit transmission rates to 10 Mbps, shorter cable runs, and rapidly 
decreasing efficiency as the network load increases because of data collision resolution. 
The use of a ring topology offers the advantage of data collision elimination, which 
provides for very high effective data rates. Unlike CSMA/CD topologies (such as 
Ethermet), FDDI’s performance does not degrade significantly with increased levels of 
traffic, up to 95% of its rated capacity. FDDI networks can bypass hardware failures. When 
a node or link fails, the two counter rotating paths wrap together around the fault thus 
allowing continued communications. Any fault on FDDI dual rings can be isolated, 
keeping the remainder of the rings completely active. When the fault is corrected the fiber 
optic ring reconfigures automatically. This ability to adapt to breaks or node failures helps 


ensure reliability of the system and data availability in transfer. 


Electrical 
Interface 
Fiber Optic 


Interface 
Connector 






Dual 
Attachment 
Station 


Interface 
Connector 


Trunk 
Coupling 
Unit 


Figure 1 Typical FDDI configuration 

A special bit pattern, called a token, is continuously circulated by the FDDI ring. 
Stations transmit data by capturing the token, transmitting their traffic, and sending the 
token to the next station on the network until a complete circuit is made. FDDI supports 
two types of traffic transmissions: synchronous and asynchronous. Synchronous service is 
designed for applications with predictable bandwidths and critical response times. 
Asynchronous services are designed for applications with bursty, widely varying 
bandwidth requirements. To accommodate asynchronous, “non-deterministic” traffic a 
Target Token Rotation Time (TTRT) is defined and negotiated during ring initialization. 
Each station maintains the same value for TTRT. Each station’s Token Rotation Timer 
(TRT) is initialized to TTRT when enabled. The TRT counts down until TRT =0 and is then 
reset to TTRT. The variable Late Count (LC) is initialized to zero (LC = 0) and is 


incremented each time TRT reaches zero. In this manner, the Late Count counter records 
the number of times TRT has expired since the token was last received by a designated 
station. If TRT does not reach zero and LC is zero, the token is considered to have arrived 
early. When a station receives the token early, after transmitting any synchronous frames, 
it may transmit asynchronous frames for a period not to exceed the remaining TRT. Once 
the allotment of asynchronous frames are transmitted, the token is passed to the next station 
and both TRT and LC are reinitialized [STAL88]. Synchronous traffic is “deterministic” 
because each station is guaranteed token service within a specified time limit and for a 
specified allocation. In the event that a station has asynchronous, ‘“‘non-deterministic” 
traffic to transmit, upon receipt of the token the station, first, tansmits any synchronous 
traffic up to its allocation; then, if there is time remaining as the result of an early token 
arrival due to decreased synchronous allocation usage or if excess bandwidth is present, the 
asynchronous traffic will be transmitted. 

Utilizing FDDI as the backbone LAN offers other advantages. In addition to satisfying 
the need of connecting LANS together without compromising inter-LAN speed, FDDI 
offers capability that will enable future technologies, including circuit switching. Like most 
networks, FDDI is a packet switched network, utilizing FDDI packets to facilitate the 
efficient transmission of data in various sizes. FDDI frames vary in length, have their own 
delimiting start and end markers, and contain their own destination addresses (Figure 2). 
By using an upward compatible extension of FDDI known as FDDI-II, FDDI gains the 
capability to perform circuit-switched service in addition to normal packet switching 
[ROSS89]}. This permits future special applications which require real-time response from 
the network, including digital voice; rapid updating of tactical displays in battle may be 


another application. Ross describes the circuit switched connection as a “data stream,” 


which provides for the transmission of continuous (analog) data. 











< 4500octets J 32bits 





Figure 2 FDDI Frame Format 


FDDI rings support two types of stations: dual attach stations (DAS), which attach 
directly to the ring, and single attach stations (SAS), such as PC’s and work stations. Each 
DAS has four fiber connections, two to receive and transmit on the primary ring, and two 
to receive and transmit on the secondary ring. A typical DAS can be a concentrator, bridge, 
router, server, minicomputer or mainframe. Multiple DASs are linked together to form the 
network backbone. A SAS can be immediately isolated in case of fault detection without 
disrupting traffic on the ring. 

In a distributed network environment, all the DASs in a FDDI ring participate in 
network capability, fault recovery, management, and network initialization. Internal DAS 
timers and logic control resolution of all ring failures provide bypass handling. Therefore. 
the counter-rotating ring topology allows the network to continue functioning in the event 
that either a node or link is lost. It is this survivability, in addition to its very high 
bandwidth, that makes FDDI most suitable to a battle environment. Optical fiber minimizes 
interference and signal degradation, and minimizes signal loss over long cable runs. Due to 
the extremely large bandwidth of fiber, bit-serial transmission may be used, offering the 
advantage of hardware simplicity, decreased complexity, and increased reliability 
[ROSS89]. Reliability is a key factor for the Navy in both normal peacetime operations and 
while at battle. This interest in reliability and communications connectivity led to the 


development effort of Survivable Adaptable Fiber Optic Embedded Network (SAFENET). 

















SAFENET USER 
Application Interface 


Lightweight 
ervices 


Application 
Application Layer Services 


OSI LAYER SAFENET 









Services USER 


4 SERVICES 





XPRESS 
Transfer 












: FDDI TOKEN RING 


LAN 





OSI LAYER LOCAL AREA NETWORK 


1 


SERVICES 


Figure 3 SAFENET Protocol Profile 


I. SAFENET BACKGROUND 


SAFENET is based on the FDDI token-ring standard and incorporates profiles for both 
ISO compatibility and real time performance. By employing the seven layer ISO reference 
model for Open Systems Interconnection (OSD, SAFENET specifies protocols at each 
layer of this model, defining the complete SAFENET profile. In SAFENET, this protocol 


profile is organized in two ways: by service partitions and by defined profiles. 


A. SERVICE PARTITIONS 

The first method of SAFENET’s communicating architecture divides the protocol 
profile into three service partitions: user services, transfer services, and LAN services. Each 
of these partitions encompasses a portion of the seven layers of the ISO reference model. 
Figure 3 delineates the seven layers of the ISO reference model on the left, the major 
elements of the SAFENET profile in the center, and the service partitions on the right. The 
user services partition corresponds to the session, presentation, and application layers of the 
ISO reference model (layers 5-7) and is that portion of the SAFENET profile in which users 
interact with the network. The user services partition afford SAFENET users with the 
capability to interact with, manage, and respond to the underlying transfer services. In the 
center of the SAFENET profile lies the transfer services partition. It corresponds to the 
network, transport and Logical Link Control (LLC) sublayer of the Data Link Layer, (layers 
2-4) of the ISO reference model. Through these services reliable communication 
mechanisms are provided to SAFENET users. The LAN services partition is that part of the 
SAFENET profile which performs the actual data transfer and corresponds to the physical 
layer of the [SO reference model as well as the media access control sublayer of the data 
link layer (layers 1-2). The LAN services consist of the upload and download ability to get 


data on and off the physical medium in a controlled manner. 


B. PROTOCOL SUITES 


The second descriptive method of SAFENET communications architecture separates 
the protocols into defined profiles: the OSI protocol profile, lightweight protocol profile, 
and the combined protocol profile. As depicted in figures 4, 5, and 6, these profiles define 
the three distinct implementation classes permitted in SAFENET. It is not required that all 
stations on a given SAFENET network implement the same profiles. Each respective 
profile describes a specific combination of network protocols defined within SAFENET. 
When designing a SAFENET station, at least one of the profiles (OSI, Lightweight, and 
Combined profiles) must be implemented. However, network designers must ensure the 
presence of sufficient profiles at each station to ensure that the system meets its designed 
communications connectivity. Some of the services and protocols are common to all 
implementation classes and others are used only in the OSI or lightweight profiles.The 
SAFENET Time Service (STS) is required for all protocol suite implementations. 

The OSI protocol suite, possessing protocols and services based upon ISO standards, 
provides complete OSI compliant networking services to systems which require it. The OSI 
protocol suite consists of Manufacturing Automation Protocol (MAP) private 
communications, ISO File Transfer, Access and Management (FTAM), Directory Services, 
Association Control Service Element (ACSE), Remote Operations Service Element 
(ROSE), System Management Application Service Element (SMASE), Common 
Management Information Service Element (CMISE), presentation and session layers, 
Connection-Oriented Transport Protocol (COTP), ISO Connectionless Transport Protocol 
(CLTP) which allows the user to transmit a single unit of data, datagram, without 
establishing a connection, ISO Connectionless Network Protocol (CLNP) which provides 
services for network routing and for the segmentation and reassembly of transport layer 
messages that are too large for the underlying communications service, ES/IS routing 
exchange protocol which provides stations with the ability to associate a data link layer 
address with a given network layer address, IS/IS intra-domain routing protocol which 


dynamically determines routes to pass data between intermediate systems, LLC type | 


10 


(connectionless) protocol and the FDDI protocols. The ISO connection oriented Transport 


protocol class 4 (TP4) is required within the transfer services partition [ISO870]. This is 


done to ensure interoperability in an open systems environment. The OSI protocol suite is 
basically required when either the interoperability of independently developed nodes is a 
driving consideration, or the file handling capabilities of FTAM are required, or increased 
complexity requires network management; however, it adds this capability at the expense 
of delayed data flow and inability to supply multiple users simultaneously [(KOCH91] 


{PAIG90}. Figure 4 shows an overview of the OSI protocol suite. 








SAFENET USER 
ee ae ae 














Application Layer Services T 








ISO Presentation 
ISO CO Transport 


ISO/IEEE Logical Link Control 
FDDI Token Ring LAN 
SAFENET Physical Medium 


Figure 4 Overview of the OSI Profile 






ISO CL Transport 














In circumstances where control of timing is critical from a resource point of view, the 
lightweight protocol suite provides process to process message passing services. The 
message passing services support point to point, multicast, and remote procedure call 
(transaction) styles of service; however, multicast capability is limited to a single logical 


LAN segment (HDBK92]. The lightweight profile provides real time data transfer 





capability to various systems, as well as providing added options. The lightweight protocol 
suite Consists of lightweight application services, the Xpress Transfer Protocol (XTP), ISO 
CLTP, ISO CLNP, ES/IS routing exchange protocol, IS/IS intra- domain routing protocol, 
LLC protocol and the FDDI protocols. This profile permits implementors to develop a set 
of communication services which support the performance and architecture requirements 
of a specific system. The lightweight profile provides a limited set of network management 
capabilities. If this service is required then the combined protocol suite must be utilized. 
Finally, while this lightweight protocol suite provides fast data transfer, it does not adhere 
to the ISO standard protocol and therefore is very system specific [KOCH91}. Figure 5 


shows an overview of the lightweight profile. 


13 








SAFENET USER 






i LIGHTWEIGHT 
: APPLICATION 









SERVICES 


ISO CL Transport Z XPRESS Transfer Protocol 


ISO/TEEE Logical Link Control 
FDDI Token Ring LAN 
SAFENET Physical Medium 


Figure 5 Overview of the Lightweight Profile 















14 





SAFENET USER 














LIGHTWEIGHT 
APPLICATION 
SERVICES 


Directo 
FTAM 


Application Layer Services 






ISO/TEEE Logical Link Control 
FDDI Token Ring LAN 
SAFENET Physical Medium 


Figure 6 Overview of the Combined Profile 


The combined profile is essentially the union of the OSI and lightweight protocol 
profiles. The combined protocol suite is intended for situations that require the capabilities 
of both the OSI and lightweight protocols. Therefore, all the protocols, services and 
capabilities of OSI and lightweight profiles are included. Additionally, network 
management protocols and services are provided for those protocol enrities contained 


within the lightweight profile. However, because of the combined capability of this suite, it 


15 


requires much more complex development energy and cost [KOCH91]. Figure 6 shows an 


overview of the combined profile. 


C. SAFENET TOPOLOGY 

The basic topology design for SAFENET utilizes a redundant ring structure as shown 
in figure 1. The critical element of SAFENET’s topology is the trunk Coupling Unit (TCU). 
The TCU device enables a station to insert or remove itself from a network ring. The TCU 
is a 2x2 optical bypass switch, which is controlled by an electrical signal from the attached 
station. The TCU has the capability to readily isolate a failed station from the network, 
thereby contributing to system reliability [PAIG90]. Optical signals are transmitted in 
opposite directions on each of the two rings. It is clear from this redundant ring topology 
that accurate and timely data flow is essential to the performance of SAFENET. 
Accordingly, as its name implies, SAFENET uses fiber optic technology as the physical 
medium in which data is exchanged. Consequently, this fiber optic technology forms the 
backbone of SAFENET’s development. 


D. SAFENET FIBER OPTIC DEVELOPMENT 
The developers of SAFENET chose to employ a newer fiber optic technology over the 


older copper cables. For optical cables incorporate a number of excellent properties which 
provide data exchange for high-capacity transmission systems [JOHN87]. A major 
advantage of fiber optics is the large bandwidth times distance products obtained which 
allow data transmission rates of up to several Gbps [LI1983]. Furthermore, today’s fibers 
typically offer bit rates of several hundred Mbps {IFOC84) and [LUND91). Additionally, 
since glass is a dielectric medium, immune to electromagnetic interference and free from 
sparking, these optical fibers are useful in EMI-rich and other hostile environments. Low 
attenuation combined with its extremely small physical dimensions make optical fibers the 
physical medium of choice [FINL84}. 


16 


As shown in Figure 1, each network ring is composed of TCUs and connecting trunk 
cables. The primary and secondary ring trunk cables are intended to be physically separated 
to enhance survivability in the event of battle damage. This placement strategy of allowing 
key network components (e.g., TCU and DAS) to be separated will allow the network to 
absorb some damage without the entire system losing its ability to operate. 

It is understood that for an active ring either a node failure or a fiber break will cause 
a fatal crash. To correct this deficiency, SAFENET has added a second ring in the opposite 
direction as discussed earlier. This configuration allows for two types of network 
reconfiguration in the presence of a fault in the cable: ring hop/hold and ring wrap. Ring 
wrap is caused by a fault in the primary and secondary rings, the faulty sections of both 
rings are isolated by forming one or more rings out of the remaining portions of the primary 


and secondary rings [HDBK92}. 


mn | 










ULL ; UUQULUU UU UATE ff 


Backbone LAN 





Figure 7 An overview of component systems comprising SAFENET 





Figure 7 depicts the manner in which each component or warfare speciality area is 
unified into a whole. Each component, alone, is a system; yet, the synergism inherent in 


SAFENET's configuration and survivability features make it everi more formidable. 


Iv. THE SAFENET STANDARD 


A. THE SAFENET STANDARD AND ITS TESTABILITY 


The SAFENET manual provides requirements for the implementation of fiber optic 
local area networks which are intended for use in support of mission critical computer 
resources. The SAFENET standard is organizationally well written, but it is large, and 
complex in its potential interprofile relationships. Each protocol within a SAFENET profile 
can be viewed as a finite state machine. The task of figuring out which protocol machines 
are expected to communicate within each profile can be awesome and daunting to some. 
While concrete design specifications are not expected to be contained in the manual. 
abstract design specifications should have and would have proven very useful to designers. 
As a result of neither abstract nor concrete design specifications, the SAFENET manual 
must be closely scrutinized and intra-profile relationships gleaned to garner all implicit 
relationships bit by bit in order to attain a formal specification. 

The standards manual references in several cases existing standards; however, there 
are requirements which SAFENET references that are not yet completely formulated and 
are currently in draft status. SAFENET’s Network Development Guidance and 
Conformance Test Guidance are two such requirements whose standards are listed as 
drafts. The Development Guidance and the Conformance Test Guidance are very crucial 
for SAFENET development. Systems Analvst and Designers will use these two manuals 
extensively to develop their implementation, in conjunction with the SAFENET standards 
manual. In addition, the Quality Assurance and Testing team will use these two manuals 
extensively to develop a test package. As a result of these two important publications being 
in their draft stages of development, the difficulty of testing a SAFENET implementation 
greatly increases. Consequently, the issue of whether we can implement SAFENET and 
perform the conformance testing without these two publications, begins to favor having ihe 


availability of both publications. Development and testability are greatly enhanced with the 


19 


CS ge eee ee ae ee Se ae 


availability of both the SAFENET Network Development Guidance and the SAFENET 


Conformance Test Guidance. 


B. PROBLEMS WITH THE CURRENT SAFENET STANDARD 


While SAFENET represents a major step forward in communications connectivity, 
this breakthrough is not without its share of problems and potential pitfalls. Typically, 
problems are associated with or attributed to any new introductory system. The current 
manual of SAFENET’s standard is neither a users manual nor a technical manual. It is 
essentially a SAFENET standard document of specification that Development teams can 
use as guidelines for creating, implementing and testing a SAFENET network. 
Consequently, the current standard does not contain tutorials or a listing of descriptive 
features from a users’ point of view. The standards manual is inadequate for describing 
specific features, user protocol interfaces, and for navigating between and within protocols. 
These features are expected to be contained in an implementor’s users manual. 
Additionally, the current standard while containing much technical information is 
insufficient in that context, and the manual alone lacks the technical data necessary to 
facilitate a SAFENET installation in accordance with Military Specifications (MIL- 
SPECS). 

Most of the fiber optic components used commercially meet MIL-SPECS, that is they 
conform to the quality control standard demanded by MIL-SPECS; however, the fiber optic 
bypass switch, contained within the TCU, did not perform in accordance with MIL-SPECS 
[GREE89}. As mentioned earlier, the fiber optic bypass switch bypasses a station which 
does not energize an electrical signal to this switch Consequently, the SAFENET 
committee will have to expend research and developm~ + resources in this area to comply 
with MIL-SPECS. The specification of militarized components makes SAFENET lose the 


modular “plug” compatibility desired with standard off-the-shelf commerically available 


components, but this is seen as a necessary trade-off to enhance reliability and survivability. 





In theory, ANSI FDDI can support the reliability and survivability features that are 
proposed for SAFENET, called dual path reconfiguration. SAFENET’s approach to 
enhanced survivability was to initially specify the wrap method and after that specification 
is completed to actively work on development of a specification which uses both ring hop 
and wrap methods [GREE89]. The ANSI FDDI standard provides for the dual ring wrap 
reconfiguration technique; however, the ring hop reconfiguration technique is not 
supported in ANSI FDDI. The Navy’s interest is expected to have a positive impact on 
development of the ring hop feature. But, whether this hop capability does become in 
reality a viable reconfiguration technique will depend on whether FDDI chip set 
manufacturers find the hop method cost effective to implement. 

Another major area of concern is the support for time synchronization. The 
distribution of high precision, synchronized, digital time value among the components of a 
distributed real time system on a platform wide scale is one of the requirements that exist 
in all Navy SAFENET tactical systems. During the operational employment of a tactical 
system or platform, time synchronization is needed continually. The SAFENET Time 
Service (STS) provides for the distribution of time information and the synchronization of 
distributed clocks within a system. This capability is necessary for activities such as 
correlating information provided by various sensors to control weapons, to conduct post 
event reconstruction of critical events and to accomplish time critical diagnostic tests. 

In searching for a candidate protocol for time synchronization, the SAFENET 
committee found that no true industry-wide standard existed [GREE89]. The Network 
Time Protocol (NTP), which utilizes a hardware clock of identifiable accuracy bound at 
each computing element employs a logical synchronized clock as its base. To support the 
STS each station or node is required to have a local time source, called a Network Clock. 
The Network Clock includes both the software and hardware components necessary to 
implement a time source. The STS is partitioned into three functional areas: the clock 
synchronization service, the user time service, and the time management service. Thus, the 


STS resident in each node uses the Network Clock to provide the current value of time, 


21 





clock quality and accuracy of time value to users in the local SAFENET node and to 
synchronize with other Network Clocks in the network. It is anticipated that major 
platforms will have clocks utilizing satellite synchronization; this concept appears to 
facilitate the Navy’s application. 

The prototyping activity in progress within the NGCR community is looked upon to 
supply the critical answer as to whether distributed Network Clocks will satisfy naval 
requirements. Surprisingly, SAFENET has established no error bounds or performance 
requirements for the individual Network Clocks in a network. It is assumed that the system 
implementors will use components of sufficient quality to meet the system specific 
requirements. The quality of the components used will have a direct impact on the level of 
synchronization achieved. In all aspects, this represents a potential pitfall; clock 
synchronization performance is a critical area that will require close attention during 
system design. The performance requirements of the system will need to be specified and 
the appropriate configuration parameters determined. 

One primary necessity for naval tactical systems is the need to support real time 
communications, be it, periodic and aperiodic, multicast and point to point, or low latency 
communications. The ability to delay or even abort low value communications in favor of 
more urgent communications is a problem for both present and future applications, 
particularly in the event of momentary insufficient data communication resources 
[GREE89]. Because of the nature of timed token behavior, ANSI FDDI provides only two 
levels for data frames, synchronous and asynchronous traffic. This methodology has no 
effect on which station obtains the right to transmit data next. The basis for SAFENET I, 
the IEEE 802.5 standard provides a three bit priority field which supports eight levels of 
priority and is used for selecting the token holder, the next station allowed to transmit 
frames. The viewpoint of the SAFENET committee is that eight levels of priority is 
inadequate for meeting system requirements. SAFENET did not provide any real time 
specification for this area and thus this led to the SAFENET Lightweight Protocol profile. 
The Lightweight Protocol candidate selected was the XTP protocol which is non- 


22 





proprietary, has the potential for industry standardization and provides the needed support 
for real time communications. The development of SAFENET requirements used the XTP 
protocol as a reference for what is possible and practical and also as a means of feedback 
to the XTP developers the requirements which were not met by the current version of the 
XTP protocol. Thus, the key and potential problem for the Lightweight Protocol profile is 
how well it supports real time, prioritized traffic in present and future applications. 

Presently, in the Lightweight profile only the XTP SAFENET hex address format can 
be used [HDBK92]. Particularly in stressful moments, hex addressing does not lend itself 
very well to human recall as the primary means of station addressing. Within the OSI 
profile, given a logical name known by the application, the Directory Services will provide 
the needed addressing information. However, no specification exists for real time users not 
using OSI as the communication protocol, and since SAFENET allows a non-standard 
approach for the Application, Presentation, and Session layers as well as the Lightweight 
Protocol underneath, a major problem exists here. 

The Lightweight profile’s multicast capability envisioned for SAFENET is limited to 
a single logical LAN segment; this may not be the optimal approach. Naval combat 
platforms in hostile environments should have the ability to broadcast across multiple 
LANs to report tactical and strategic casualties (Engineering, Weapons, etc.) to decision 
makers. The issue of multicast capability to multiple LANs should be reviewed to 
determine its value to decision makers. 

SAFENET addresses the issue of clock granularity, but in terms of clock accuracy, no 
guidance is established for the performance requirements of the individual network clocks 
in a network. Determining the system clock resolution is needed to accurately determine 
the amount of time taken in point to point data transfers. For example, consider a radar 
target that is passed to weapons for engagement. Clock resolution and synchronization is 
what is required in this real time scenario for a successful engagement. Without these two, 
resolution and synchronization, how can a target be engaged, if we do not know whether 


the data is late, therefore useless or an actual prediction. This issue of clock performance, 


23 


resolution and synchronization is a potential pitfall because the determination of what is 
“sufficient” component quality is left up to the system engineer. 

Security as pertains to the protection of data that is transferred on the network is the 
final area of concern. Although it may not be necessary for all implementations of 
SAFENET to provide security services, security implementations will be necessary in 
some platforms. For example, a platform with an implementation that involves data 
transfers of multiple classification will require a risk analysis to determine which security 
services to provide. Satisfying the security requirements as provided in MIL-HDBK-818- 
1 (still in drafting stage) may prove difficult to implement and yet, still conform to 
SAFENET’s standard. 


24 


v. TESTING FIBER OPTIC LINKS 


The design points for a communication link are many and require careful 
consideration. The band width-length specified for SAFENET Laser or LED with 
multimode, graded index fiber can support data rates from 10 to several hundred Mbps over 
distances ranging from 10 meters to 200 kilometers. To design a reliable SAFENET 
communications data link, a through survey and analysis of system requirements is 
necessary. 

The maximum tolerable bit error rate for the system must be determined. The bit error 
rate is the probability that an error has been detected in a received bit. The determination 


of the bit error rate is a critical element in the total SAFENET communications system 
performance. The bit error rate for a metallic connection is approximately 10°; whereas, a 


bit error rate of 10° is commonly used for fiber optic data links. The bit error rate is also a 
product of receiver sensitivity. The total allowable power loss for the link is the difference 
in the power provided by the source and the power required by the detector. Additionally, 
some spare power must be present to account for temperature variations, diode aging and 
bend loss on the fiber. The above criteria represent the major points in fiber optic data link 
design. 

In the case of ANSI FDDI, the single most important factor is the bit error probability 


(P.). If the P, is too high, the need for frame retransmission occurs more frequently; if it is 


too small, the system will be prohibitively expensive. The P, for FDDI is 2.5 x 10°! which 


is easily attainable with current optical fiber technology. As long as the signal-to-noise ratio 


is sufficient, the required P, is attainable. Conversely, if the signal-to-noise ratio ts 


insufficient, the P, will tend toward certainty (1). 











A. LOSS BUDGET 


A loss budget analysis is important for ensuring that the SAFENET system will meet 
or exceed performance limits. In conventional radio frequency systems like Ethernet or 
Token Ring, the signal-to-noise ratio must be large enough to support a specified P,. For an 
optical system, the goal is the same, but the calculations are based on losses specific to the 
optical net. The ANSI FDDI standard specifies a P, of less than 2.5 x 10°10 [ANNA88]. 
Robert Kimball provides a detailed explanation of the different losses associated with 
FDDI [KIMB89]. The reason for conducting this analysis is to determine whether or not 
the installation will meet the FDDI requirements and thus be in conformance with 


SAFENET. The general form of the decision statistic is: 


sity x les 


P represents the available power, defined as 11 dB for FDDI. The first term on the right 


hand side of the inequality, Hy. is the sum of the aggregate component losses in the link. 


These losses include propagation losses due to irregularities in the fiber, connector losses, 
splice losses, higher order mode losses (due to refraction inside the fiber), and the Media 
Interface Connector (MIC) ferrule delta. The MIC ferrule delta accounts for the difference 
between the precision test ferrule and a production ferrule [KIMB89]. MIC is the plug and 
receptacle pair that makes the physical connection between the optical fibers and the 
transmitter or receiver. 


The second term on the right hand side, dq? is the dispersion penalty, which accounts 


for dispersion losses in the optical fiber. This is a function of bit rate and of several 
chromatic characteristics of the LEDs used in FDDI. Within the dispersion penaity 
equation, the average segment length component accounts for links that consist of several 


spliced segments. This accounts for the bandwidth concatenation phenomena, which may 


26 


cause a bandwidth increase in concatenated fibers over what is normally expected in a 
single, unbroken fiber. 


The third term on the right hand side, Hoo is the system margin. It represents a 


catch-all that allows for variations in the cable plant and a factor that compensates for 
timing variations between the light level at the output of the fiber and the light received at 


the lens on the receiver. 


The final term on the right hand side, 2 at is the total variance of the link loss 
T 


distribution and is defined as a function of the variances of the dispersion penalty and the 
loss distribution. 

The final step is to substitute all the intermediate results for the right hand side terms 
back into the original equation to verify that we have not exceeded the loss budget. If the 
right hand side of the equation exceeds 11 dB, one would need to go back to the SAFENET 
installation and figure out where the loss budget can be improved. The area that would 
provide the greatest change with the least effort would be the aggregate component loss 
factor. Two ways to improve this factor would be to shorten the links between transmitter 
and receiver or reduce the number of connectors. Obviously, there will be instances where 
it is impractical to alter this component; consequently, other components on the right hand 


side of the inequality will have to be evaluated. 


B. SYSTEM THROUGHPUT 

Theoretically, networks can approach 100% transmission efficiency, but there are 
certain tade-offs to be addressed. Contention based protocols which approach 100% 
transmission efficiency have excessive wait delays associated with them. Collision free 
protocols such as ANSI FDDI are better suited for approaching the transmission efficiency 


limit. 


27 





1. Clock Accuracy Verification 
Timing analysis is critical to determining how well the SAFENET system 
performs over the network. Recent studies have shown that bottlenecks (choke points) in 
the protocol stacks and the processors are more detrimental to network speed than the raw 
data transfer rate. In order to determine how well the SAFENET profiles perform, it is 
necessary to time different data transfers and compare them. Determining the system clock 
resolution is needed to accurately determine how long data transfers from one point to 


another take. Inaccurate timins -voulc - -opardize the validity of any data collected. 


2. Timing Test Procedure 

To attain a more meaningful result from data transfer analyses, data transfers 
should be conducted under normal net loading and under no load “ideal” conditions. Test 
sets should consist of two groups of file transfers. The test files should be selected based on 
size. The criteria for size is outlined in the following paragraphs. 

The largest data set must be large enough to exceed the size of the buffers on the 
interface cards. Care must be taken in selecting an appropriate size file and yet minimize 
the effects (by percentage) of overhead. 

The next file has to be smaller than the aforementioned file, but larger than the size 
of an FDDI packet. The space reserved for data is 4478 bytes in an FDDI packet. Once 
more, care must be taken to select an appropriate size file while minimizing the effects (by 
percentage) of overhead. FDDI has no minimum packet size. Percentage of overhead is 
calculated by dividing the number of bytes of overhead by the number of data bytes, then 
multiplying the result by 100. 

Validating operational specifications set forth by manufacturers and SAFENET’s 
standard and testing for proper installation are dominant reasons for collecting system 
measurements. Of particular interest are the fiber attenuation, band width, bit error rate, 
transmitter and receiver coupled power, connector loss, splice loss and the signal-to-noise 


ratio. Some measurements for conformance determination are to be taken before, during 


28 


and after installation. Fortunately, test equipment in conjunction with the theoretical and 
empirical analyses are available to measure and test each area of concern. The Consultative 
Committee International Telegraph and Telephone (CCITT) has _ produced 
recommendations for test methods to which, it is hoped, most SAFENET component 
manufacturers and test equipment manufacturers will adhere. The testing procedure is, test 
all parts and components before installation, test all parts and components after installation, 
and perform integration tests by testing subsystems and entire systems after installation. 
For complete systems tests, ensure data test sets emulate valid data; this will ensure that the 


results obtained are meaningful. 


29 


VI. TESTING SAFENET’S IMPLEMENTATION PROFILES 


A. TEST METHOD 

In this section, the test procedure is described; the following description is actually a 
refinement of the method described in [MILL90]. From the SAFENET standard, Finite 
State Machine Diagrams of the protocols contained within the SAFENET profiles were 
created. From these diagrams, predicate-action tables for systems of communicating 
machines were created for the OSI and Light Weight implementations. The test procedure’s 
initial input is a protocol specified as a system of communicating machines and the output 
is a complete test sequence and an Input/Output diagram. In order to proceed from the 
specification of a protocol machine or profile implementation to a test sequence, 
identification of the shared and local variables is necessary. The shared and local variables 
present a way for the tester to provide input to and observe output from the machine during 
testing. The test of each edge, transition, is treated as a separate, individual test, and may 
modify some or all of the.shared and local variables. 

The format of each single edge, transition sequence is 

Sy ipsg,..-ip/0,02,..-0m SE 

where Sy; is the state of the machine at the start of the test, i,,i7,...i, are the values of 

the input variables before the test, 01,09,...0,, are the values of the output variables after the 


test, and Sx is the state of the machine at the end of the test. The input and output variables 


are determined before testing begins and are taken from the shared and local variables of 
the machine or profile. The procedure consists of preliminary steps, the test sequence 


generating procedure, and refining steps. 


30 


1. Preliminary Steps 

1. From the machine specification finite state diagram, mark each transition 
whose name appears on more than one transition or edge. Each such instance for a given 
name is given a separate distinguishing label. 

2. From the predicate-action table note the number of distinct conditions or 
clauses in each enabling predicate. Mark each clause. 

3. For each shared variable x, determine if x is an input variable, output variab’ 

or both an input and output variable. For each x which is both input and output, split x into 


two variables, x; and Xo for testing purposes. 


4. For each local variable 1, determine if | is used as an interface to the higher 
layer user of this profile or protocol. If such is the case, mark | as input, output or both. Each 
such local variable is an input variable if it appears in an enabling predicate and a output 
variable if it appears in an action on the left side of an assignment arrow. If 1 is both input 
and output, it is split into variables |; and Ig for testing purposes. 

Step 1 is to ensure that each instance of each transition is tested. A protocol 
specification may have the same transition name on more than one arc; this step provides a 
degree of certainty that every arc is tested. Step 2 ensures that each clause is tested 
individually, if possible. An enabling predicate may consist of several clauses, any one of 
which may be true, allowing the transition to execute. In steps 3 and 4, the shared and local 
variables are identified. Shared variables provide the means of communication between the 
machine and other protocol entities within a profile. Local variables allow communication 
with the user of the protocol or profile. In essence, these variables are the means the test 
designer has of giving inputs to the machine and observing its actions. 

In some system of communicating machine specifications, additional variables are 
defined that are used internally by the protocol or profile machine and are not visible to the 


user (upper layer(s) of the protocol) or the tester. Typically, such variables are counters or 


31 


array indices. These variables should not appear in the test sequence as they are not under 


the direct control or observation of the tester. 


2. Test Sequence Generating Procedure ; 


1. S,€ initial_state 


2. Let t = (p,a) be an untested transition from an arbitrary state. What this 
notation means is that the current transition being tested , t, has the predicate, p, as input 
and the action,a, as output. 

(a) Determine the values of the input variables which make exactly one of the 
untested values of p true. Check to see if these values allow any other transition from this 
state to be executed. If so, set additional input variables to values that ensure that only the 
transition being tested is enabled. Fill in the necessary input variables, and mark the others 
DC for “don’t care.” 

(b) Determine and mark the expected values for the output variables. In addition 
record the expected values assumed by the local variables. 

(c) Determine the expected next state and set Sx to it. 

(d) Determine if Sz is transient; if it is not, label it as a “stop state” and proceed 
to step 3. Within the confines of the test procedure, a state is transient if one or more of its 
enabling predicates is true upon reaching the state. This means that the machine can 
proceed to another state without having to wait for further input from the tester. 


(e) Attempt to make Sg into a stop state by setting DC values such that when 
state Sp is reached, none of its enabling predicates are true. If successful, proceed to step 3. 
(f) Sg is a transient state. If more than one transition leaving Sg is enabled, 


arbitrarily select one and set the input not yet specified, such that only one transition leaving 


Sx is enabled. Set t = (p,a) to this transition. 


3. Output this test Sy ij, i7,...ip/01,02,...0, Sg as the next test in the sequence. 





4, Mark the clause just tested. If all clauses in transition t are now tested, mark 
t as tested. If all transitions are now marked as tested, exit to “refining steps.” Otherwise, 
proceed to step 5. 

5. Set S; to Sg. If S; is a stop state, proceed to step 2,; otherwise, proceed to 
step 2(b). 

Step 2(a) attempts to test each clause separately. For well designed protocols this is 
generally true. It is vital in that the tester knows which transition was enabled, and as a 
result, caused the transition to occur. In the event that it is not possible to individually test 
each clause, the test designer must set the input variables such that the clauses are tested as 
meticulously as possible. It is quite possible that such clauses may be tested in conjunction 
with one another. However, if a clause cannot be tested individually, the question of clause 
necessity to the specification arises. 

Steps 2(d), 2(e) and 2(f) are concerned with transient states. If execution of a state 
immediately enables another transition, it may prove difficult or even impossible for the 
tester to verify that the values contained in the output variables are as expected. For such a 
circumstance, the transient state and possible multiple enabling transitions that can not be 
controlled with these test methods, could indicate the need to modify the specification for 
better testability. 

Step 5 initializes the start state of the next test in the sequence to the ending state of 
the current test. The advantage here is that the ordering of the tests follow the order of their 
occurrence in the actual profile implementation. In order to exercise all parts of a protocol 
or profile implementation,some transitions may have to be executed more than once. In 
such a circumstance, judgement by the test designer may be needed. This is not necessarily 
a cause for concern; in the normal operation of a profile or protocol machine, certain 
transitions may be executed more than others. Consequently, during testing the same trend 


will likely be true. 








3. Refining Steps 

1. Construct the Input/Output state diagram from the test sequence. In this step, 
the stop state information is also used, assuming that there is at least one stop state. 

2. For each state, determine a shortest Unique Input/Output (UIO) sequence (if 
one exists). Append the UIO sequence for Sx to the end of the test sequence. If no UIO 
sequence for the current Sp exists, continue testing transactions (extending the sequence) 
until an Sg with a UIO is visited. 

3. Check for converging transactions which are difficult to test and may require 
special handling. These transactions are marked as potential problems. 

In step 1, the Input/Output diagram is constructed from the test sequence and is a tool 
to help the test designer ensure completeness. This diagram is constructed directly from the 
test sequence with the knowledge of “stop states.”’ The diagram’s initial state will be initial 
state S;; additional states are added for each stop state is encountered. The arcs are directed, 
and labeled with the with the values of the input and output variables. 

The I/O diagram generated from the test sequence can be viewed as an incomplete 
finite state machine specification. However, there is a relationship to the specification 
machine, because there is a tour through the specified transactions. It is not identical to the 
specification; there are states which are transitory in the specification and does not appear 
in the IO diagram. 

The purpose of the final UIO sequence in step 2 serves to verify that the last state 
which was reached in the test sequence is indeed the current state of the protocol or profile 
machine. Because the details of the machine’s implementation are assumed to be “hidden” 
from the tester, the existence of at least state with a UIO sequence is necessary. Without the 
UIO sequence, there is no way of knowing if the last transition tested, left the machine in 
the expected state. 


In actuality, the converging transitions, identified in step 3, are distinct transactions, 


with identical labels, which originate from different states but terminate at the same state. 





The existence of converging conditions can not be eliminated always and, therefore, 
complicates the role of the test designer and makes error detection difficult. These 
circumstances may naturally occur in the specification of a protocol, but should be marked 


for special observation. 


B. APPLICATION OF TEST METHOD 

In this section the test generating procedure is illustrated using derived specifications 
for two of the SAFENET standard profiles: OSI profile and Lightweight profile. The 
profiles are first specified as a system of communicating machines and then the procedure 


is given. 


1. OSI Profile Specification 

The specification of the OSI profile consists of the predicate-action table (Table 
1), the specification for each protocol within the profile, given in Figure 8, and the inter- 
process shared variable MEDIUM, shown in Figure 9. The single intra-process shared 
variable Transfer is used to model the network node’s internal bus, which is shared by the 
protocols within a node or station. An internal transmission is modeled by a write into this 
shared variable. The first field “Transfer.T” takes the value T or F, which is used to indicate 
whether the frame represents a time synchronization frame or a data frame. The second 
field, DA for Destination Address, contains the address of the protocol machine to which 
the message is transmitted. The next field, SA for Source Address contains the originator’s 
address. Fields four through eleven contain the values T or F and are used to control the 
intra-process routing; based on the values contained in these variables, the frame’s 
Destination Address is determined. Finally, the data field contains the data block itself. The 
single shared variable MEDIUM is used to model the bus, which is shared by each machine 
or network node. A transmission onto the bus is modeled by a write into this shared 
variable.The first field “MEDIUM.T” takes the value T or F, which is used to indicate 


whether the frame represents a time synchronization frame or a data frame. The second 


35 








field, DA for Destination Address, contains the address of the network station to which the 


message is transmitted. The next field, SA for Source Address contains the originator’s 
address; finally, the data field contains the data block itself. 

The OSI profile is defined by a finite state machine, a set of local variables and a 
predicate-action table. The initial state of each profile machine is state 0, and the shared 
variables MEDIUM and Transfer are initially set to contain the respective address of one 
of the stations or protocol machines in the DA field. 

The local variables inbuf, outbuf, etc. are used for storing data blocks to be 
transmitted to or received from other protocols. Outbuf is an array, and can store a 
potentially large number of data blocks. 

The initial state of each profile machine is state 0 and all local variables are 
initially set to empty. The inter-process shared variable MEDIUM initially contains the 
address of one station in its DA field. Therefore, the initial system state tuple is (0,...,0) and 
the first transition taken by a station holding the token will be xmit_time, or xmit_msg. 

Each profile machine has 18 states. In the initial state, 0, the station is quiescent, 
merely waiting for an incoming message, a transmit message signal, or a transmit time 
synchronization signal. If a frame appears. in the variable MEDIUM with the network 
node’s own address, the transition to state 1 is taken. When taking the xmit_time transition, 
in State 2, the station transmits the data blocks that it has via Transfer, moving to state 3. In 
state 3, the station transmits the data blocks it has, moving to state 6. As specified by the 
SAFENET standard, synchronization frames are sent via the ISO CLNP Protocol 
[HDBK92] page. 37. In state 6, the data blocks are formed into datagrams and transmitted, 
moving to state 17. In state 17, the station transmits any data blocks it has moving to state 
18. In state 18, the station transmits until its token holding time expires or all of its 
messages are sent; the station then returns to state 0. When taking the 
xmit_clear_logical_msg transition, in state 8, the station transmits the blocks that it has, 
moving to either state 9, state 10 or state 11. If in state 9, the station transmits the data 


blocks it has moving to state 14. If in state 10, the station transmits the data blocks it has 


36 


moving to state 14. If in state 11, the station transmits the data blocks it has moving to state 
12. From state 12, the station transmits the data blocks it has moving to state 13. If in state 
13, the station transmits the data blocks it has moving to state 14. If in state 14, the station 
transmits the data blocks it has moving to state 15. From state 15, the station moves to 

‘ station 16 after transmitting its data blocks. When in state 16, the station transmits the data 
blocks it has moving to states 4, 5, or 6; this transition is based on the message size and its 
destination address’ location. If in state 4, the station transmits the data blocks it has 
moving to state 17; from states 5, or 6, the station transmits its data blocks, moving to state 
17. In state 17, the station transmits any data blocks it has moving to state 18. In state 18, 
the station transmits until its token holding time expires or all it messages are sent; the 
station then returns to state 0. 

The receiving profile station, like all other stations not in possession of the token, 
will be in state 0. The message will appear in MEDIUM, with the receiving station's 
address in the DA field. The receive transition to state 1 will be taken. In state | the data 
block is copied and the MEDIUM is cleared by the ready transition. By clearing the 
MEDIUM, the receiving station enables the sending station to return to its initial state (0) 
or its sending state (18). . 

For this simplified high-level specification, the channels inter-process and intra- 
process are assu) 1ed to be error free. This means that the clearing of the medium by the 
receiver can be taken as an acknowledgment by the sender. Hence, there is no requirement 
for timers, time-outs or error checking on the channel. Although some of the finer details 


of the OSI profile are omitted, this specification contains the main idea of the OSI profile, 


and provides sufficient detail for the generation of a test sequence. 








1 


Receive 
Stat 


xmit_clear_lofical_| 


mit “lear_ma 
msg— —map_ms¢ 


ivate_map_ 





Figure 8 OSI Profile Specification 


38 





Each machine within the OSI profile in Figure 8 performs the following: 


« StateQ In the initial state, the machine is quiescent, merely waiting to process a request 
or transmission. 

- State 1 In the receive state, the machine copies an incoming message from the bus and 
acknowledges receipt of the message by clearing the bus. 

«State 2 The SAFENET Time Service protocol provides for the distribution of time 
information and the synchronization of distributed clocks within a system. 

«State 3. In addition to Lightweight and Xpress Transfer Protocol support, the OSI 
Connectionless transport protocol directly supports STS’s protocol data unit 
transfer. It provides the user with the ability to transmit a single unit of data, 
datagram, without the requirement of a connection being established. 

*State4 The ISO End System-to-Intermediate System routing exchange protocol passes 
address information among all stations that are on the same LAN segment or 
through intermediate stations. The ES/IS protocol provides stations with the 
ability to associate a data link layer address with a given network layer address. 

¢State5 The ISO Intermediate System-to-Intermediate System intra-domain routing 
protocol provides SAFENET networks with dynamic determination of routes 
used to pass data between intermediate systems. 

*State6 The ISO Connectionless Network protocol provides services for network routing 
and for the segmentation and reassembly of transport layer messages that are 

' too large for the underlying communications service. Additionally, the ISO 
CLNP has multicast data transfer capability, but limits the scope of transfers to 
users on a single LAN segment. 

«State 7 The Private Communications protocol provides a means for secure 
communications between network stations. 

+ State 8 The Directory Services provides a mapping from “user friendly” names 
(application entity titles) to presentation service access point addresses 
required in communication instances. 

«State 9 The File Transfer, Access, and Management protocol provides services for 
transferring information in the form of files among application processes and 
file stores. 

« State 10 The Association Control Service Element protocol provides services for the 
establishment and termination of application layer associations and a standard 
service for application layer protocols to communicate common parameters. 

«State 11 The System Management Application Service Element protocols specifies the 
management functions which are supported in a system node, and defines the 
semantics and abstract syntaxes of information transferred. It uses CMISE for 
communication. 

* State 12 The Common Management Information Service Element protocol provides a 
common message framework for management procedures supplying both data- 
manipulation and notification/operation-oriented services. 

« State 13 The Remote Operations Service Element protocol is used in support of CMISE, 
and provides a simple, uniform service for remotely invoking operations and 


39 


then receiving correlated replies to those operations. 

«State 14 The ISO Presentation protocol is concerned with the syntax of data the data 
exchanged between application entities and resolves differences in format and 
data representation. The presentation layer defines the syntax used between 
application entities and provides for the selection and subsequent modification 
of the representation to be used. 

- State 15 The ISO Session protocol provides the mechanism for controlling the dialogue 
between applications. At a minimum, it provides a means for two application 
processes to establish and use a connection. 

+ State 16 The ISO Connection-Oriented Transport protocol provides for the 
establishment, maintenance, and termination of a logical connection between 
transport users. It allows connection-related features such as flow control, error 
control, and sequenced delivery. 

+ State 17 The Logical Link Control protocol provides three services: Unacknowledged 
connectionless service which supports point-to-point, multipoint and broadcast 
in a datagram style of service, Connection-oriented services which provides 
flow control, sequencing, and error recovery, Acknowledged connectionless 
service which provides for acknowledgment of individual frames and supports 
point-to-point transfers. 

- State 18 The FDDI Token LAN protocol provides the ability to get data on and off the 
physical medium in a controlled manner. 





t = time; m = map; p = private; DA = destination address; SA = source address 


Inter-process variable 


vepum{tpoalsaP [bw SSSS—~*S 


Transfer 





[tT |palsale [m | es[is | CLIFTAM|ACSHSMAG Data 


Intra-process variable 





SHARED 


VADDEAINUDDALLADUDDEEUNSONSOSESSANGONDSED DOSED IODSOODLUNOBEDSOUDSGUCASNUDEOCHOEAUSUDNSOUUSEUASCUNSGUISEAUAOGLOGAOASOUCOUUONEUONEUOGEUSUCLGGEOUOGLORUCQSENGQUSOOUNOELOOCERSENGACEONSUENGLAQGUNUDOUUSELOSEOCUGUNNCCOSOOASOOttH 


outbuf 1 

outbuf n 

Sts_msg 

cl_trans_msg 
co_trans_msg 
xmit_clear_msg 
private_msg 
xmit_clear_logical_msg 
Xmit_private_logical_msg 
xmit_private_msg 
xmit_clear_map_msg 


xmit_private_map_msg 
ftam_msg, 
acse_msg, 
smase_msg, 
cmise_msg, 
rose_msg, 
presentation_msg, 
session_msg, 
es/is_msg, 
is/is_msg, 
clnp_msg, 

lic_msg 





local variables 





_t[palsales|is[ct] Daa 
_T[DA{sales| ts]CL] Data 


DajsalP [M [Fram] acse|smaS| Data 
pajsalP [M | Fram | acse|smas| Daa 
ajsalP |M| Fram] acse | SMAS] Dag 
palsalp [mM] ram] acse| smas| bam | 
pasalP |M| Fram] acse | MAS] Data 
balsa} [m[rram] acse}smas| Daa | 















[TIpalsa}p | baa 


Figure 9 OSI Network Node Data Structure 


41 


Table 1: OSI PREDICATE-ACTIONS 


LAI LR pieeemaermmny v-'-~ penaaiamaciaane 
receive inbuf ~ MEDIUM 

ready [me SSS*dYCMEDIUM 

xmit_time Transfer <— outbuf (n) a outbuf(n) —@ 
sts_msg Transfer < sts_msg A sts_msg <— @ 
pnivate_msg (p_msg) Transfer <— p_msg A p_msg < @ 
xmit_clear_logical_msg Transfer — xclma xclm¢e- @ 
Xmit_private_logical_msg}xplm (p, m, data) = (true, true, msg) Transfer — xplma xplme SD 


xmit_clear_msg (xcm) |xcm(p,m,smase) = (false, false, true Transfer — xcma xcme @ 
xmit_clear_msg (xcm) |xcm(p,m, acse) = (false, false, true) Transfer — xcma xcm¢ © 


xmit_clear_msg (xcm) |xcm(p,m,ftam) = (false, false, true) Transfer — xcmaxcme @ 


xmit_clear_map_msg m, ftam) = (false, true, true) Transfer <— xcmm a xcmm <- © 


7) 
° 
3 
3 

ss) 


xmit_clear_map_msg Kcmm(p,m,smase) = (false, 5 Transfer — xcmm a xcmm + © 


xmit_clear_map_msg xcmm(p, m, acse) = (false, true, true) Transfer — xcmm a xemm + © 


bed 
oe 
3 
3 
=~ 
oJ 
fod 
— 
= 
e 
= 
a 
e 
e 


xmit_private_map_msg m, smase) = (true,true,true} Transfer — xpmma xpmm¢— @ 


xmit_private_map_msg 


ted 
ao] 
3 
3 
> 


m, ftam) = (true, true, true) Transfer — xpmm a xpmm ¢ © 
xmit_private_map_msg {xpmm (p,m, acse) = (true, true, true) Transfer <— xpmma xpmm ¢ © 
xmit_private_msg (xpm)|xpm (p,m, ftam) = (true, false, true) Transfer <— xpm a xpm e © 
xmit_private_msg (xpm)]|xpm (p, m, acse) = (true, false, true) Transfer — xpm a xpm< © 
Xmit_private_msg (xpm) |xpm (p,m, smase) = (true, false, true) Transfer <— xpm a xpm <- @ 
ftam_msg ftam_msg # D ransfer <— ftam_msg a ftam_msg <— @ 
acse_msg acse_msg # D transfer <— acse_msg a acse_msg <- © 
smase_msg smase_msg # ransfer < smase_msg A smase_msg <— 
cmise_msg cmise_msg # © ransfer <— cmise_msg A cmise_msg <— © 
rose_msg rose_msg # © Transfer <— rose_msg A rose_msg «— © 
presentation_msg (pm) Transfer — pm a pm¢e- OD 
session_msg (sm) Transfer — smasme@D 
co_trans_msg (cotm) cotm #@acotmes = true Transfer — cotm a cotm €— D 
co_trans_msg (cotm) cotm #@ a cotm.is = true Transfer <— cotm a cotm€ @ 
co_trans_msg (cotm) cotn #@ acotm.cl = true Transfer <— cotm A cotm < @ 
cl_trans_msg (cltm) Transfer —cltm a citm -— @ 
es/is_msg es/is_msg #O Transfer <— es/is_msg A es/is_msg < OD 
is/is_msg is/is_msg # OD Transfer <— is/is_msg a is/is_msg «- © 
clnp_msg clnap_msg # © Transfer < clnp_msg a clnp_msg «- @ 
llc_msg lic_msg #3 Transfer <— llc_msg a lic_msg <— @ 
MEDIUMe @ 


msg_sent 


> 
nN 


1. OSI Test Sequence Generation 
First the preliminary steps are carried out; these steps determine the exact format 
of the tests. The measures employed are primarily concerned with input and output 
variables. After the preliminary steps, the tests are generated. For ease of reference the 


numbering below corresponds to the steps in the test procedure. 


a. Preliminary Steps 

(1) From Figure 8’s Lightweight profiie specification finite state diagram, we 
see that all transition labels are unique; therefore, no action is required. 

(2) All transitions have single clause enabling predicates; therefore, no action 
is required. 

(3) The shared variable MEDIUM is both an input and an output variable; 
therefore it is split into two variables MEDIUM, and MEDIUMo for testing purposes. The 
intra-process shared variable Transfer is both an input and an output variable; therefore it 
is split into two variables Transfer; and Transferg for testing purposes 

(4) The local variables outbuf, sts_msg, private_msg, 
xmit_private_logical_msg, xmit_clear_logical_msg, xmit_clear_msg, 
xmit_clear_map_msg, xmit_private_map_msg, xmit_private_msg, ftam_msg, acse_msg, 
smase_msg, cmise_msg, rose_msg, presentation_msg, session_msg, co_trans_msg, 
cl_trans_msg, lic_msg, clnp_msg, es/is_msg and is/is_msg are both input and output 
variables; therefore they are split into two respective variables, for example private_msg, 
and private_msgo, for testing purposes. 

Note that in step 2, the co_trans_msg and xmit_time are not separated into 
twodifferentclauses because both conditions must be true for the transition to be enabled. 

From these preliminary steps, we can see that the test will adhere to the 
following form: 


S; MEDIUM, Transfer, outbuf}... Iic_msg; / MEDIUMg Transfer outbufo... 


lic_msgo inbuf Sg 


43 


Now we are ready to begin generating the test sequence. 


b. Test Sequence Generation 

(1) We begin in the initial state, 0. In step 2 we may choose any untested 
transition emanating from state 0; we select the xmit_clear_msg transition.(step 9). 

2(a) According to the predicate-action table, to enable this transition the local 
variable xmit_clear_msg must contain data for processing and the DA field of xmit_msg is 
assumed to be state 9’s address. The remaining fields may have any values, and are 
indicated by an “x” in Table 2. The other input variables are set to DC for “don’t care.” 

2(b) When the transition occurs, Transfer copies the data from 
xmit_clear_msg, and xmit_clear_msg is set to empty. 

2(c) Sg is set to the expected end state for this test, which is state 9. 

(3) Noting that the next state is a stop state, this completes the first test in the 
sequence, and the appropriate values are shown in Table 2. 

(4) This clause and transition are now marked “tested.” 

(5) The value of S; is now set to 9 and another iteration starting at step10 is 
called for. 

The next iteration of the procedure selects the ftam_msg transition, and the values 
selected are shown as the tenth test entered in Table 2. The expected ending state for this 
tenth test is 14. The next iteration of the procedure selects the presentation_msg transition, 
and the values selected are shown as the eleventh test entered in Table 2. The expected 
ending state for this tenth test is 15. From state 15 in test step 12, we take the session_msg 
transition. The expected ending state resulting from this transition is 16. 

At the next iteration, the co_trans_msg transition is taken; the expected ending state 
for this thirteenth test is 4. From state 4, we take the es/is_msg transition. In test step 
fourteen, the expected ending state resulting from this transition is 17. From state 17, we 


take the llc_msg transition; the expected ending state for this fifteenth test is 18. From state 





18, we exercise the msg_sent transition using the “true” predicate, which leads back to the 
initial state. 
The remaining untested transitions are executed in a similar manner resulting in a final 


test sequence of 356 steps. The values of the input and output variables for all of these tests 


are shown in the appendix. 














YQ 
a 





Es 
18 


3sursuen oo 67 


a 
a 


3swuoneuasaid LG 


Pasar umd 





0 





Ll ssw EC 


gswr sue 09 1 





_ 


-_ 


gsw” uoissas O 
lp] [3swuonequasaid6| 
20] 6] __ssururysil 
| OT 0] ssw seaja wun L | 


lll. 








e 
(hy 
ws 
* 


6 











ie ST 
Le] asursysa P| 


dsursuen oo ¢] 





ssw uotyequasaid | | 





a fat Fay Fs 
R/R1318 
GTUHTELGHANTGTGVOGHEWOMERIGE 


fe 
My 
* 





‘a 
a 
7 


juss dsw 


0 | 
st | 
LU | dsw Oh 
9 | 
| 
a 


3surdujo 


Oo 





4% 
is 
< 
a 
& = 


v 


ove oc oc QAta00l 


—s 


* 
mn 


% va : 
lisa] Igsw ‘ lyaysueay 
1eatdoy feaiBoy aye aed ao tice 


AT4O0Ud ISO AHL YO AODNANOAS LSAL *7 F1GeL 


















4 















X,DA,Xx,x,% 
KDA XXX 


go : 
< 
| a 
Lad 


a 
3 


AUT 
a 
eT 


= oS SIN 
oto} s{ef ole} cto | =] =] S12 S =| SES RS PS ES st BS Es Gt Ge 


47 


“D) 





KDA, x,4,% 
mea 
aa 





iy oF So a 
haa 
DAZ FET 





co_trans 


msg; 


x,DA,x, TE Fx 





session 
msg) 
na 
ia 
feeeae| 
te tan ae) 
iste ag| 
ae 
cs 
aaa 
een! 
aes 
a 
—o 
ae 
Poe 
ee oil 
nae 
Peg. 
aa 





TEST SEQUENCE FOR THE OSI PROFILE (CONTINUE 





ry 
e 


2,DA,x,5,x 






Table 2 










0 1.DA 13 


















4 Fe als 
aR “ldelele SPSS] al Ss 


BY] SPSINI ale &) 81 S/O] &] ays] SI]: 
ee Kyl se] apo] cfolal of al ale a] eo] ol ol 
ool =| —] =} —-j= AT AENT A A A 


ee re ce ee ee cee ee ee ee ee ee ee ee ee ee ee 








TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 











Table 2 


outbuf, 


=) 







bc 
D6 
DC 
DC 


— 
bc pC 













* * 
ay oy 
rh ay 
be & 
uy ma 
ry my 
< < 
a a 
< Lad 


3 SAPP TARR. 
RR SARE 


tn 9 
a | 
Bi 
<|< 
ala 
ain 
ea i) 


Ra 
“ = 
is) wy 
< < 
Hn a 
-< tad 
7 « 


* 
* 
< 
wn 
Lal 
< 


Transfer, 
T.x,SA42 
KK SAFET x 





Dc 
bC 


48 













al 
z a) Lea who ~] 2 mje 


“¢ 
< 
2) 

* 

had 


~ 

gp 
ae 
ZE 


{oe 
ee) 
Fa: 


a 
° Q 
& 


isa) wy —, Nn LULL 


49 






(CONTINUED) 






x 
4 














CE FOR THE OSI PROFILE 


TEST SEQUEN 

















—IMsgo 





Table 2 


presen 
tation 





MS£o 





2. Lightweight Profile Specification 

The specification of the Lightweight profile consists of the predicate-action table 
(Table 2), the specification for each protocol within the profile, given in Figure 10, and the 
inter-process shared variable MEDIUM, shown in Figure 11. The single intra-process 
shared variable Transfer is used to model the network node’s internal bus, which is shared 
by the protocols within a node or station. An internal transmission is modeled by a write 
into this shared variable. The first field Transfer.T takes the value T or F, which is used to 
indicate whether the frame represents a time synchronization frame or a data frame. The 
second field, DA for Destination Address, contains the address of the protocol machine to 
which the message is transmitted. The next field, SA for Source Address contains the 
originator’s address. Fields four through eleven contain the values T or F and are used to 
control the intra-process routing; based on the values contained in these variables, the 
frame’s Destination Address is determined. Finally, the data field contains the data block 
itself. The single shared variable MEDIUM is used to model the bus, which is shared by 
each machine or network node. A transmission onto the bus is modeled by a write into this 
shared variable. The first field MEDIUM.T takes the value T or F, which is used to indicate 
whether the frame represents a time synchronization frame or a data frame. The second 
field, DA for Destination Address, contains the address of the network station to which the 
message is transmitted. The next field, SA for Source Address contains the originator’s 
address; finally, the data field contains the data block itself. 

The Lightweight profile is defined by a finite state machine, a set of local variables 
and a predicate-action table. The initial state of each profile machine is state 0, and the 
shared variables MEDIUM and Transfer are initially set to contain the respective address 
of one of the stations or protocol machines in the DA field. 

The local variables inbuf, outbuf, etc. are used for storing data blocks to be 


transmitted to or received from other protocols. Outbuf is an array, and can store a 


potentially large number of data blocks. 











The initial state of each profile machine is state 0 and all local variables are 


initially set to empty. The inter-process shared variable MEDIUM initially contains the 
address of one station in its DA field. Therefore, the initial system state tuple is (0,...,0) and 
the first transition taken by a station holding the token will be xmit_time, or xmit_msg. 

Each profile machine has 10 states. In the initial state, 0, the station is quiescent, 
merely waiting for an incoming message, a transmit message signal, or a transmit time 
synchronization signal. If a frame appears in the variable MEDIUM with the network 
node’s own address, the transition to state 1 is taken. When taking the xmit_time transition, 
in state 2, the station transmits the data blocks that it has via Transfer, moving to state 3. In 
state 3, the station transmits the dita blocks it has, moving to state 8. As specified by the 
SAFENET standard synchronization frames are sent via the [SQ CLNP Protocol 
{HDBK92] page. 37. In state &, the data blocks are formed into datagrams and transmitted, 
moving to state 9. In state 9, the station transmits any data blocks it has moving to state 10. 
In state 10, the station transmits until its token holding time expires or all it messages are 
sent; the station then returns to state 0). When taking the xmit_msg transition, in state 4, the 
station transmits the blocks that it has, moving to either state 3 or state 5. If in state 3, the 
station transmits the data blocks it has moving to states 6, 7, or 8: this transition is based on 
the message size ind its destination address” location. If in state 5, the station transmits the 
data blocks it has moving to states 6, 7, 8, or 9: From states 5, 6, 7, or 8, the station transmits 
its data blocks, moving to state 9. In state 9, the station transmits any data blocks it has 
moving to state 10. In state 10, the station transmits until its token holding time expires or 
all of its messages are sent: the stauion then returns to state 0. 

The receiving protile station, like all other stations not in possession of the token, 
will be in state 0. The message will appear in MEDIUM, with the receiving station’s 
address in the DA field. The receive transition to state | will be taken. In state | the data 
block is copied and the MEDIUM is cleared by the ready transition. By clearing the 
MEDIUM, the receiving station enables the sending station to return to its initial state (0) 


or its sending state (10) 


For this simplified high-level specification, the channels inter-process and intra- 
process are assumed to be error free. This means that the clearing of the medium by the 
receiver can be taken as an acknowledgment by the sender. Hence, there is no requirernent 
for timers, time-outs or error checking on the channel. Although some of the finer details 
of the Lightweight profile are omitted, this specification contains the main idea of the 


Lightweight profile, and provides sufficient detail for the generation of a test sequence. 


Table 3: LIGHTWEIGHT PREDICATE-ACTIONS 


CCAAETRUEATUEAEERTREERRERAE ETAT RARER TREATED EA HELO OOOODONSOROODSEOSOSDOOONOONOSOUDNSOOSDOEONSSODSUNDSRONSSONSONQUONSADDINNIND 


Transition Predicate Action 
Teceive inbuf — MEDIUM 
ready true MEDIUMe @ 
xmit_time outbuf(n) +O Aaoutbuf (a) t =true{ Transfer — outbuf(n) a outbuf(n) —@ 
sts_msg sts_msg (t, data) = (true, msg) Transfer < sts_msg 


xmit_msg xmit_msg # D Transfer <— xmit_msg A xmit_msg <- @ 
lightwt_cl_msg (Iwem) Transfer <— lwem a lwcm <— @ 


xfer_xtp_msg (xxm) Transfer <~ xxm A xxm <— @ 


cl_msg (xpm) xpm(t,cl) = (true, true) Transfer ~ xpm A xpm< @ 
xtp_rte_msg (xrm) wm (t,es) = (true, true) Transfer <— xrm a xrm + © 
xtp_rte_msg (xrm) xrm (t,is) = (true, true) Transfer — xrm a xrm — @ 
xtp_tte_msg (xrm) xm (t,cl) = (true, true) Transfer’ <— xrm a xm <— @ 
es/is_msg es/is_msg # D Transfer <~ es/is_msg A es/is_msg <— © 
is/is_msg is/fis_msg # @ Transfer < is/is_msg A is/is_msg <— © 


clnp_msg clnp_msg + © Transfer <~ clnp_msg A clnp_msg <- 
xtp_msg xtp_msg #@ Transfer <- xtp_msg A xtp_msg < © 
llc_msg lc_msg # O Transfer < Ilc_msg a Ilc_msg < © 


MEDIUM<e- @ 


msg_sent 








msg_sent 









1 
Receive 
State 





xmit_time 


lightwt_cl_msg 


assur dix 


Figure 10 Lightweight Profile Specification 


53 





Each machine within the Lightweight profile in Figure 10 performs the following: 


+ State O In the initial state, the machine is quiescent, merely waiting to process a request 
or transmission. 

» State 1 In the receive state, the machine copies an incoming message from the bus and 
acknowledges receipt of the message by clearing the bus. 

«State 2 The SAFENET Time Service protocol provides for the distribution of time 
information and the synchronization of distributed clocks within a system. 

+ State 3. In addition to Lightweight and Xpress Transfer Protocol support, the OSI 
Connectionless transport protocol directly supports STS’s protocol data unit 
transfer. It provides the user with the ability to transmit a single unit of data, 
datagram, without the requirement of a connection being established. 

-State4 The Lightweight application services consist of a set of communication service 
primitives which can be implemented to provide a user with direct, efficient 
data transfer capabilities. 

«State 5 The Xpress Transfer protocol provides services which achieve increased 
efficiency and performance by combining the connection process with the data 
transfer process. 

+State6 The ISO End System-to-Intermediate System routing exchange protocol passes 
address information among all stations that are on the same LAN segment or 
through intermediate siations, The ES/IS protocol provides stations with the 
ability to associate a data link layer address with a given network layer address. 

«State7 The ISO Intermediate System-to-Intermediate System intra-domain routing 
protocol provides SAFENET networks with dynamic determination of routes 
used to pass data between intermediate systems. 

«State 8 The ISO Connectionless Network protocol provides services for network routing 
and for the segmentation and reassembly of transport layer messages that are 
too large for the underlying communications service. Additionally, the [SO 
CLNP has multicast data transfer capability, but limits the scope of transfers to 
users on a single LAN segment. 

-State9 The Logical Link Control protocol provides three services: Unacknowledged 
connectionless service which supports point-to-point, multipoint and broadcast 
in a datagram style of service, Connection-oriented services which provides 
flow control, sequencing, and error recovery, Acknowledged connectionless 
service which provides for acknowledgment of individual frames and supports 
point-to-point transfers. 

+ State 10 The FDDI Token LAN protocol provides the ability to get data on and off the 
physical medium in a controlled manner. 


54 


t = time; DA = destination address; SA = source address 


inter-process variable 


weowm [7a Toe Sd 


Intra-process variable 


nanstee [7 oalsale Jo [es[is | culrrafacsavad ban 


SHARED 


VACHHUUAEAAADTSUGSUUDSUUGEUAUDSUAOGEUUGENOONSOUAGUANDSUUDGEOAEOELGOOUACEGGUAASELDONLOAEUAOUGNGGLSUGLTSEENOGAOQOLLSENOGGEOOOLESOUAAUGLICELOGUOLOUAOOENGQGUNGEAOSEUDOEAAOGESUOUUASERDNUUOGRAASUANEARONURSUNORUANODOVUDEANbEONLG 


ocal variables 
inbut | T|DA{SA|P | 
guibut 1 
ee T 
isons [F oalsaleshs [ox 
ana FbAses[ sla 
rip_ne.msg [TDA sal Es| is] cL] 
xtp_msg 
e_msg 
sts_msg 
xmil_msg 
xfer_xtp_msg 
clnp_msg | T 
es/is_msg 
isfis_msg 


Figure 11 Lightweight Network Nodes Data Structure 


55 





a 


3. Lightweight Test Sequence Generation 
First the preliminary steps are carried out; these steps determine the exact format 
of the tests. The measures employed are primarily concerned with input and output 
variables. After the preliminary steps, the tests are generated. For ease of reference the 


numbering below corresponds to the steps in the test procedure. : 


a. Preliminary Steps 

(1) From Figure 10’s Lightweight profile specification finite state diagram, 
we see that all transition labels are unique; therefore, no action is required. 

(2) All transitions have single clause enabling predicates; therefore, no action 
is required. 

(3) The shared variable MEDIUM is both an input and an output variable; 
therefore it is split into two variables MEDIUM] and MEDIUM for testing purposes. The 
intra-process shared variable Transfer is both an input and an output variable; therefore it 
is split into two variables Transfer; and Transferg for testing purposes 

(4) The focal variables outbuf, sts_msg, lightwt_cl_msg, cl_msg, 
xtp_rte_msg, xtp_msg, Ilc_msg, xmit_msg, xfer_xtp_msg, clnp_msg, es/is_msg and is/ 
is_msg are both input and output variables; therefore they are split into two respective 
variables, for example xmit_msg,; and xmit_msgo, for testing purposes. 

Note that in step 2, the xtp_rte_msg and xmit_time are not separated into two 
different clauses because both conditions must be true for the transition to be enabled. 

From these preliminary steps, we can see that the test will adhere to the 
following form: 


S; MEDIUM, Transfer, outbuf,... llc_msg; / MEDIUM Transferg outbufy... 


llc_msgo inbuf Sg 


Now we are ready to begin generating the test sequence. 





b. Test Sequence Generation 

(1) We begin in the initial state, 0. In step 2 we may choose any untested 
transition emanating from state 0; we select the xmit_msg transition. 

2(a) According to the predicate-action table, to enable this transition the local 
variable xmit_msg must contain data for processing and the DA field of xmit_msg is 
assumed to be state 4’s address. The remaining fields may have any values, and are 
indicated by an “x” in Table 4. The other input variables are set to DC for “don’t care.” 

2(b) When the transition occurs, Transfer copies the data from xmit_msg, and 
Xmit_msg is set to empty. 

2(c) Sx is set to the expected end state for this test, which is state 4. 

(3) Noting that the next state is a stop state, this completes the first test in the 
sequence, and the appropriate values are shown in Table 4. 

(4) This clause and transition are now marked “tested.” 


(5) The value of S; is now set to 4 and another iteration starting at step 4 is 


called for. 

The next iteration of the procedure arbitrarily selects the lightwt_cl_msg transition, 
and the values selected are shown as the fourth test entered in Table 4. The expected ending 
state for this fourth test is 3. 

At the next iteration, the cl_msg transition is taken; the expected ending state for this 
fifth test is 8. From state 8, we take the clnp_msg transition. The expected ending state 
resulting from this transition is 9. From state 9, we take the Ilc_msg transition; the expected 
ending state for this seventh test is 10. From state 10, we exercise the msg_sent transition 
using the “true” predicate, which leads back to the initial state. 

The remaining untested transitions are executed in a similar manner resulting in a final 


test sequence of 32 steps. The values of the input and output variables for all of these tests 


are shown in Table 4. 


































Po a Jor Fs as"asu Ze) 
ee ee ee Pe | od Oo od Od a 
a es a SR Sy Sere See rec ee Ge 
po eee TT for sa ay 
ee 
aad A aS a a 
ee) a) EE See ee eT es ee ee 
ee ee ea Ee Sa ee ee ee 
a ep a 
evr oa oa aa 7] 
Pe ea af od Td fol 
I RS Loo os Meo 
Po eS es  Oaod Ie Od | | 
Pv fog oa Toa [Coa Jo] 
ES NS TS RS SS OR (kc) NN Wc os cS S| 
PT oa sat og a for __as-asu_Fi] 
PT Toa sat oa Sis | —sasuro 
a on of cog 9] sul si/so_ Cl 
pve TT oa aa oa Tid sf swords Ty 
Pt vd Teo a a [oa] 
ae ee ae A EE ES Sc ee se 
Pa aT oa Ci fora tsur 8 
ee: Ee! eae ee een ee Pod oa fod a 8 tsurdus 9 
ae Ea Gene Se Te Ms Fe ee ee ee as jo 
cae Geared (NT anaes Gaeey Pog oat oa a F | 
eva og oat ag fg J 0] sw 
a et Ll od od | od i ore Apeas¢ 
issu J3sw ‘ laaysur. IWwhiaaN | 's uoljisue. 
oR | el Lm |e | een] Se 





ATMOUd LHDIAMLADIT AHL AOA ADNANOAS LSAL *p AIGeL 





58 









elie < Ni iN 











xmit_ 
S20 





Sts msgo| 





oO 


) 


pc 
DC 





outbuf, 
(4,2 


DC 
DC 
{ 

Dc 





* 
i 
By 
< 
“a 

Lf 

7 


x,.,SA.FF Tx 


ri 7 * * 
te & be nf 
2 = iy ay 
fe 1 a ay 
< < < < 
a aH a a 
* “ * * 
- tf Lad “ 


x,5,SA,X 
x,4,SA,x 


Led iss 
alA 
isd fies 
Oe i: 


X,5,SA,x 
K,X,SA,Xx 
a,,SA.R 


5 fees 
S| 4 
a 
a oa 


X,X,SA,K 
R,2,SA,K 
RLR,SA,K 


" 
< 
4 

< 


Transfero 









TEST SEQUENCE FOR THE LIGHTWEIGHT PROFILE (CONTINUED) 
DC 
DC 





e 
e 








Table 4 


x,DA,x,x 
x,DA,x,% 












x DA,x,x 


pe 
bc 
ee 


clnp_msg)|xtp_msg,jlic_msg, 
x,DA,x,x 





















Sg 


‘a ms 






Table 4: TEST SEQUENCE FOR THE LIGHTWEIGHT PROFILE (CONTINUED) 





Zo|clnp_msg 
<= 
Bp Es aa 
az ae 
= > se i 
hoes 
ee 
ae 
eae 
aay 
ae 
ae 
aay 
fewer 
i 
aaa 
f= 
aa 
eect 
ae 
eee ai | 
bs 3 i 
oe 
ety 
Gaal 
ee) 
ieee 
ese] 
ieee 
a 3] 





HEEELTELLE — — Aba alata St Stays 


MSgo | is/is ms 





es/i 





vi. CONCLUSIONS AND RECOMMENDATIONS 


A. CONTRIBUTIONS OF THIS RESEARCH 


The goal of this thesis was to present a series of test sequences for the SAFENET 
communication protocol. The procedure takes as input high level SAFENET profiles that 
are specified as a system of communicating machines, and gives as output, complete test 
sequences for SAFENET’s OSI and Lightweight profiles. A brief specification of 
SAFENET’s OSI and Lightweight profiles was given using the system of communicating 
machines model, and test sequences were generated. 

The test method described and employed here further demonstrates the flexibility of 
the system of communicating machines model. A protocol can be specified, verified, and 
tested using techniques based on this model. The concept was expanded and applied to a 
high level profile which encompassed several protocols. In the test procedure, all transition 
instances in the finite state machine specification is tested in conjunction with each enabling 
predicate clause. The preliminary steps were employed to determine the input and output 
variables; the sequence generating procedure was employed to assist in fault coverage. The 
example test sequences for the OSI and Lightweight profiles were used to demonstrate the 
application of the specification and testing methods associated with the system of 
communicating machines model. Since these profiles have the potential for wide spread use 
in present and future naval combatants, their existence as system of communicating 
machines model further illustrate the applicability and usefulness of this method. Utilizing 
a protocol specification method which places emphasis on testing yields better results than 
using a specification method that was not designed with conformance testing in mind. 

Some of the current literature discusses the correctness of a test sequence; their 
apparent emphasis is on shortening the sequence length. However, the system of 
communicating machine test procedure emphasizes the ability of the sequence to detect 


errors rather than the achievement of an optimal test sequence length. This test method can 


61 





a 


only test for the presence of desirable behavior in a protocol or profile machine. Given the 
current level of technology, it is not practical to exhaustively test for the presence of 
undesirable behavior since all possible errors that could occur in an implementation can not 


be foreseen. 


B. AREAS FOR FURTHER RESEARCH 

The issue of security services for data on platforms with a SAFENET implementation 
exercising data transfers of multiple classifications will have to be addressed. Commercial 
LANs have encountered and solved this problem with respect to sharing a LAN with a 
competitor, but with the performance constraints placed upon SAFENET, the completed 
risk ~nalysis should provide some definitive system configuration with respect to security 
services. Consequently, research effort must be expended to directly address this issue. 

With this test method being as straight forward and easy to apply as it is, it should lend 
itself very well to automation; research iiito to the feasibility of this could possibly prove 
very valuable in the wide spread acceptance of this test method. Further research could 
concentrate on decomposing the protocols within a SAFENET profile and applying the test 
method. In addition, future research could concentrate on extending the error detection 


capabilities to detect multiple errors or to detect them in the presence of converging 


transitions. 











APPENDIX 


a 1 
@ 25 
-—= = * 
cs E LTE i fl 
* 
ty 










a 














fae ee & & 
om 3 3D ' 

B22 it % 
xOE ; 4 é 
s_| 

os) 

re SOA 

G26 

4 





e_logica}| 





ate jat 


outbuf, ‘ 





a eal Pend fa Ft En] Fd Fad End En Fa Es 
& RY RISIRIS[R 1S] 8] SISIRIS 


Table 2: TEST SEQUENCE FOR THE OSI PROFILE 










Yas 
fol [=f of of =] 2[2 [ofS] Ffofe[= 22] oF] lof l=] ]= fe [= /=| 
ao 2 oof 1 col Jo 
“a a 
30 E 1 ET ool 3° el f& 2 
< & : § s ate 4 § 1 e 
s 12) ea) aba | bal 3/212] 5 i 
3 ZlES Ss rolele ele] § SOP EVE]2 ad 
a Wns Els q see ; 
g 5) |S) ste] 1 2 gal o zlel2]3 é 
a 1 a 
E 2 B) & g eLe BIST 8 gis = re 
Val colo} S] =I SITS ASS PoP ES Est aa 























63 






Table 2 





TEST SEQUENCE FOR THE OSI PROFILE 


gical 


rivate | ate_logica} lo; 


Pp 


RIS 


sts_ 
msg; 


outbuf, 
(l 2) 





MEOIUM: Transfer, 


# 


_msg 

msg 

_msg 
msg 


Clear 
‘ans_msg 
clear_msg 


mit_ 
34 acse_msg 


t_clear_msg 


session_msg 


co_t 
4 session_msg 
45 co_trans_msg 
co_trans 
8 smase_msg 
| presentation_msg 
62 session_msg 


s 
i} 
& 
3 
s 
7 
ve 
a 
ve 
i“ 
4 
fo) 


wis se 


37 
3 





AQ xmi 





5 | presentation_msg 


sole 
E 30 
¢ £ 
.2 ( 
8 3 
3 g 
=) 

eaten 


SQ acse_msg 


rm 
2 
i 
Ei 
8 
bea 
Ga) 


47 lic_msg 
S7 xmit 


64 









od su pradoy rays WwW 


esau] 
Lif ssw", £6) 
asursv/sa_ £ 


[asur-suen oo 0a 


SALTS Va 








Al] 
AIS] 


od 
ad 


‘PTLD Y VG 


8 
Q 
a 
2) 
a) 


ne 





a 
B 





HIER 
2 





sur” eBoy seajo nwx/ 


7 CS: 





debe 
ERERRRREEREEE 


eI 
2 
E 
: 
8 





3sw_uotsses C8 
| Od | PI J8sw~uorrequasasd 18 
let] asw-asor_ 08 
|___ ssw ass 61 
| __ aswaseurs 84 
| Bsus rea” ux LL 








ssw on S 


P__asuron od 
PRureyst_vd 
SUB L 


Li 
$ 


91] Ssw7suen oo £1) 
|_3sw_uorsses_ CL} 
Bsus _uonejuasasd IL 
PF — asuros0i 00 
aout osews 89 





rod_og 
pag, 
od od | 
faq 
aed 
Eaed 
[od _ od | 
[odo | 
Pod og 
| od 9d | 
P5a—5a 
[Od 9d | 
aed 
Poa od 
f>q_oa 
fag 
G9 | 
pod 3d | 
od 9d | 
Ea 
pod _ 9d | 


Ssw yeaa jtwx £9} 


od: I 
od | | _wuas 3s 99) 
| tg | "a 
rane) (ides aes Ss wOnISUeAL, 
+ 


if 
! 
t 


ie 
ig 








a! 


: 


- 
a 


B 
afi 











z Tasur | 
{ea13o] JeaBoy ase 
yiwx B3qD yeux AVId 20x 


ATMAOUd ISO AHL WOd AONANOAS LSAL ‘7 Pte 


wt 


ayeALl 











ee 





65 





iG) | ssw suen 09 82] 


Da fst | seu worssos ZCI 
CG trl Fsw uoneuasaid7 | 








Os ET 


8] S15]8]8 
8] S/SiStS 





ARR 


I 





a [wor ZO 
Lt | 
fe [Faure Oc 
Ga gsur suen od 6} 1 


7 Bsuruonewuasaide | | 


3d Jor [aur anon 3 
“eBoy ses} wx p | | 


en ce 
po a sw og ZIT 
a 9 | asurmduys UI 
Ld fot | ssw suen” oo Otl 
2d fei | ssw uorssas_ 601 
| OD rt Bsur uoneuasaiROl 
oa] 6 | assur uy Lo 
8 | Bow dew se2po" rx QQ) 
pu eoidoj 38949" n¥G() | 
Pd Ist tues 3su Ol 
PO LE sws'9j, £01] 


| 9 | Sswsuen’ 09 101 
loa. OG | oa | Ist [Bsus _uoissas 001] 
ai od fd tet Psu “uonwiuasesd 66 

Yee oc De Cee 
2619 


iZsu |. (su) Wsm lyaysu wOrJISUeAL 
“yeardo; eveey oe Poona wD, JQjSUCLL 
WUIxpea}a jUIX] , 


@TWAONd ISO AHL 40s AONANOGS LSA *@ PIqe@L 








RI 











B B 
8 B 


B 
a 


. uy 
i 
7 aed 
ay 
< * 















nea 
bi 








rs L Ltt vd 








I3sur_dew|— ‘sur 


afd jx 

















66 


& 
s 
ie 


¢ asur_ sist OOF 
od _ swsuen or 6S] 


3sw” uolssas 
[asa wonrnorad LS 
3susasoy OG 


8 
® 
3 


et 
Bie 


can 
eI 


ay 
Ge 
tay 


“ 
< 
f4 


dsui sues 09 
ssw _uoissas § Lbl 
3su-uonewosad Op] 


[Bsur2s01 SP 
TReuresue vo 
[seurorous_€PI 


“jea@oy seapo- nw p] 


[wer dou OP 
sur on 6e 
| seur dino Be 


gsu suey oo Let 


[Snir vonrnoeaid SET 
 sswrasoe Fel 


sur deur seaja unt ¢ | 
Fyeodor se] nx | 
|__juas-3sw_ £1 


L9d_ 9G | | ssw OFT 
Pc sur syst 6c) 


(71) [aysueay WOTPISURAL 
Ijnqjno 


ATWAOUd ISO AHL qOd AONANOAS LSALL :Z Pe 


a a a 
a RIA 


' 


i 
_— 


SE REESE 
= 5 





67 





su” 9 C61 
Feu syst 161] 
|_asur_suen oo 061) 
[ asur-worssas 68 





od 
od 





- 


lala] 
lala] 
Ht 


3swvonmuasod QR] 


3sw_ wey LB] 


“dew neaud nw rQQ | 


Q 
a) 


| 
a 





gy 


Lin Im Joo S m] 00 4 
J a6. 










Bsus jeo@o, ayeaud ywx 


Ssw~ayeaud ¥8I 
[wes as C8 
Faron 2 
Baur ayes FST 
8swsuen oo O8 
Yswuorssas 6L1 
Ieuvonewosed Q/] 

Ssur urey LL 
dew aeaud ynurQ/ | 
Bsw* wordoy syeaud nx 

3swayeaud PL 


I 
[wor dsw £2 
Feary ZZ 
Pseudo TZ 
[Feursven09 OCT 
|__Sswi_uotssas 691) 


Ssw-vonnuesad BOI 


[Seu asor 291 





















4 yt ye 








& 
& 
& 

4 









a 
8 


I's 








> 


PEPPPEPPEPEPPPE PP 


1 
[sur se 991 
|_3sur_asews $91 


bk 
PFE EEFE 






Fl 


1] Q8spr roo] s¥9j9- wwf 9] 
fod og | aL | __was sou C9 
gd og) og fg Ty | y 


l 
I8su} gsm ‘ Taysueay wonsuely 
re | se 


ATION ISO AHL YOd AONANOTS LSAL °Z PGE 


‘a! 
a 


Addl lll 





















68 




















ssw ayeaud tC 


| __ was asus £27, 
LU} sway CCU 


Ssu syst (77 
dsw suen” oo (C7 
3swuoissas 61d 


&sw uonesuesad QZ 
3suasoe LIC 


> deur areaud™ ur | 7] 


od 








B| SIala|S 
5] S}ala] 8 


eit 
Lt 


~ “ 
t-) 





{ 





rs 
CL Bsw jroo ayeaud” ux 
Isw-aeaud 1G 


quas dsr 1d 
1] asuog Clg 
8sursuen oo OFZ 
Si[ fu vorssar 600 
yl | Bswuonewussaid 207 
lot | _ 8sw7asoe_ LOG 
83 E ' 

LF ‘ ud s 
Pd [8 | ues 3sw £07 
fod og | od fa fet sur on 0g 
gi jd ff Bsus duys 107) 
pod od fod fF Jot | ssw suen™o9 OC 
oq og] oa TO 6] su ury 61) 
ES RS We es ee Be Ee 
‘ayLirtvd gd fk, Bow pro 18 07 aren sux 

rdrtiurvd fog og} og FO J 0} Sswaeaud $61] 


I3sur_ Ista} Ssw : 1 


Je99{ ~yeardoy fes1Zoy_age 
AWAONd ISO AHL WOU AONANOAS LSAL °7 21481 














a & 
a 
2. & 
: & 
: < 
< 
< 








A a 
| a 


F 
‘ 
é 
z 











cl 
2 
3 
z 
g 
2 
ws 
: 

















' 
56 
a 
E 


z 
g 











69 












1S) 
-~ 
re 
: 

<4 
4 
= 


o 
a 
1S) 
a 





& 
3 
tf 





2 
Q 
Qo 
ja) 


IST | Sswrouoissas £7 


aswuonewuesaid (OC 


aswasturs OSZ 
3swasewus 67 


"deur neaud nar PZ] 








LET LLY ve 





93 









Rous yeo@oy aeaud yrurx 
asu_geaud OFZ 








f4 
€L | feur-osor OF 


a) 









™ ] 00 
y 





Bow [eooy aeaud ynux 


Ye |__juias “asw ££ 7 
Lt | ___ssuroy ce 


ssw suen” oo OFZ 


1G 





|_ 3sur_uoissas 6¢C| 
| ____sus“asov 177) 
ud nC 





a 


1 


















PLAL LE VC 














ATMOUd ISO AHL WOd AONANOAS LSAL *Z FG2L 





70 

























L sw ayeaud” nwxO87 
af urea U0 


3sw~suen oo $12 
3sur_uotsses LZ 
8suruonriuesaid ¢ / 7] 

Iswurey 717 
Bw aed wuxl Ld 


3sw_uotsses $97 


t 2X4 








a Tae STEVI) A RSLS RSL RSTO WO DETTE 

CE Beara Pf fod aad far | 095 asur 28 

Bae Bale ie pod SG} od Td at soy 98) 

ieaicadl Koma a A FE Ps] fewrayst $8 

(eS Semen -—_[___ Joa oc] St | Ssur suear 00 P80 

aa ee a ee Ist] eur uowssos (RQ 
Wao ae 





1) 
a 











it 








PELE bE 


» 





ne 


> 


I 
I 











a 
eS 
4 
a ' ' 


| _3sur_asews 197) 

Ea 
aera 1d 3d re |g Bow odor send sux 
ae } od 5a | LO] swTaeaud 8S] 
[os y did tO gL quas ssw LSC) 










e Issa | 
182130] featFoy_ aye 





eres 
T3su 
ageaLid 









q 3 
I3su (71) Jaysaea GOIISUPAL 
“sis | Inqino 


AMAOUd ISO AHL YOd AONANOAS LSAL *7 F198 





1 


7 






Y 


ca 


7a asursuesy oo OCE 


Ssuruoissas 61¢ 
asuy uoneuasaid REL 
S3surasoe LIL 


Ssw' ayeaud inuy QO]! 


T[o-| tur owaud Se 
P__ wes tou PT 


P—ssursyst cry 


3susuen oo I1f) 
3 











ala} 3] 8 
AIAIAIS 





< 


a 
a 


4 


FEE EEECEFErEEFE! 








I 





8sur_uotsses OI 
[ear eemmd 60h 

Sswasce 80 
Sswaeaud ix LOE) 
| 3swarwaud 90f 

quas 3swi G0)! 
Ltt ssw ot POY 
|__Bswsysa_€ 08 


3sw suey oo COU 
8swuotssas LOE 


[rarennreemd OO 
—seuranoe_ 66 
}Od Od | L | asurneaud ux RGZ 
gd Sd] jd | TO | ssw areaud 16) 
fod Sd fod Od fat as “asus_$6¢} 
og od} og tg FAI | sw oy S6C 
po a od a 9 | aswduys $67 
td od Tod ft Jot | Ssursuen 09 £67 

L uot 
Pg gt og a To J Beur vonenasd 167] 


tod dt od fa fe | sur wey 062) 


=| sr (21) fuagsuess | waraaw] 's uonIsuety, 
31) j_seay9 [e180] Jeardoy aye} BEAL I (4 1 


AMAOUd ISO AHL YOd AONANOAS LSAL °Z F181 





LA L's 








8 
ra 









uw 


id 
ie 
a 
= 
ad 
< 









pas 
P| 
eee 
ea | 
at 
ee 
Cs 
aa 
arr'vd 
eal 
a 











) 
a 
& 
<€ 
2 
wa 





8 
“a 
N 
a 
N 





vu 


HONSEAIUOMPOAIUOHUEMEOTONNOTOOIE 
ANETTA 


al 

a. 

5] 
36 
Da 
E 





72 


























































pf td Tt [sur uorssas Tot 
+} ff} +} }20 ft Asus vowrewascid [Cf 
a) Ee a Ses a ees Jd 9d | od a fei ssw asor 0St) 
RS RR I RS Sc 8 
po fo a gf Pt ssw asews 874] 
RS DE Cc oe 
RS SS RS NS NS Eo CT 
Pi a fa fa far ssu"on_ pve 
pt af a a ST aswsyso_trt 
pt ot [91 | asus suen”oo cre 
ae ee a ee a a FE 
A A ES SA A ST EE A CN 
Po a a Jet asur“asos_6€Y 
ft —— f+} 4 +} _} ots} od fa ee 
sa Pt Bsus asews LEY 
EEE aS A A A A Sa GS ce << MS NN ES Sow areaud mmx OEE 
EE ES Ss ee ee p20 2 | df 
a) a A es) Se ET [9G _ 9d} 9d tf as"asu_pet 
ee ee ee ee eee 
RS RR RS RS A NS ON es oc es 
pod [91 | Bsursuen"oo Ike 
Pt JST sur vorssas ObY 
pt od | od Ty | ssut wonemomrd_ 67) 
RS RS CEN RN NS so Ts 
Pi a] og fet sur asiuio 2 
Pd a a tT ssur“asews 97] 
EET Cn TS AS AS SNES NOY RUNNER (Foc Move occ MSL PN Ce a9 
Pv od oa} od ff Of sur areaud 9¢¢) 
po gt fas asu_€7¢) 
Po of od a fet ssw oy Coe 
a ee BES ee "qo MEI vc ES Do a 0 STs eA 
Tsui = I3su 1 uoNIsUe. 
“Jeatdoy [eardoy “ss aldo eas as sea 
aD qx 





WWAOUNd ISO AHL YOu AONANOAS LSAL *Z FIGeL 


73 











PF 
e_ 
81 


xml 
ivat 
ms: 





i _— 
vate_ 
P_msg 


clea tie 
“ns pri 
SI ue 


it 
—ixmit 
lear 
Sgy map _ 


x 
cl 
m 


WV 


PIV ixmit clea 
ate_logica} logical 
I_ msg, msg; ~ 
BU Pe PINS Me es Ee ee I eh Be es ee al 





Table 2: TEST SEQUENCE FOR THE OSI PROFILE 


outbuf; | sts_ } 
et eee poop pe ieee ess Bees 
eet ae 
ai aaa 
eee ea poo ee 








Tans ms 


P_msg 









co 


Transition 
54 c 


moo Siz a) 90 


355 Ilc_msg 
msg_sent 


pe 
a7 











KDA,X.x.K 
KDA Ka 
K.DA.X KK 


( 
Qo bd ie) =o 
OO — CH) Sto el Eli tes Kel 


75 








XDA, x,x,x 






RDA, KKAX 
aa 
ae 
| 
Mee as 
ae 
ae 
ez 
iat 
ee 
ae 





ae 
fe oe i I 
T.DA.XF FT 





x,DA,x,T.RFx 


x,DA,s,FT.F,x 





eee 
ae 
ee 
aay 
es 
| 
a 
K,DA,x,x,x 


TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 








X,DA,X.x,x 





Table 2 






O x.DA,1,3,x 
7 



















x.DA,K,K,x 


x,.DA,4,2,5 


* 
< 
< 
< 
a 
= 
“ 


in 
ed 
“ 
< 
= 
4 
“ 


< 
“ 
< 
a 
Ps 


PINION AISIFLA FI APLC Ste] Z 


76 


X,DA,X,4,8 












X,DA,Ax,X 











x,.DA,X,x,% 



















x,.DA,x.T.F Fx 
s.DA DER 


x,DA KET 
x. DAE T x 





RDA RK 
DAKAR 





TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 






KDA,X,x,% 





x,DA, KAS 


XDA,X,x,x 
eae 
as 
peas 
pa 
ines 
atc 
eee 
ez 

ae 






Table 2 







XDA aa 













KDA, x,x,% 
K.DA,x,x,% 





KDA, Kx 





X,DA,A,X,x 






cad 
Ee 
= 
ei 
< 
Fat 

< 









x,DA,x,5,x 


TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 






. 
e 






aa 
se S| 
aa 
reas 
eat ae) 
maa 
Et aoa 
ae 
2a 

RDA ARK 


Tabie 2 
















aDA,x.n.% 
ea | 
ae 
aoe 
Pas 
fee a 
a 
| 
aa 
| 

BDAK4 | 





a! 
“ 
< 
4 
Ea 
ve 


77 









x,DA, 2,4, 


| 
a 
fz 
sf 


The Sis 


78 















x.DA x45 


a,DA,x,4,% 





x,DAX,F.T Fx 
x,DA.x,T.FF x 
x.DA RETF. 






XDA KK 
aaa 
ie | 
eed 
ares 
ae 
as 
Rey 
aa 

X,DA,4,x,% 
ee all 
aa 
aa 
ae 
ea 
ae 
ae! 
eae | 

RDA RAK 





TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 









ADA KA 
X.DA.4.x,K 


Table 2 











98 x.DA,x,a,2 

















KDA. RR 


ies 
e 
a> 
wE 


‘ 
—_ 
i) 
a 


\ 
a 
Ss — 
556 
38 


x.DA,x,x,x 






3 JDA,4,4,% 






x.DA,x,x.0 






x .DA,X,x,5 









5,DAX,FET,x 
x.DAR FTE 


" 
iy 
a 
4 
< 
a 
* 





co_trans 


msg; 


- 





x,DA,x,3,x 





TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 









tation_ 
msg 
me | 
eae 
= tl 
ae 
Sa 
rae 
| .DAK2. | 
oe ee 
mae 
| 
a 
ae 
| 
ares 
ie en 
ae 
eae as 
XDA xx 





Table 2 





Hs xDALX3 


—_i 


79 












X,DA,x,x,x 
%,DA,x,x,% 
RDA Rx 





cinp_ He_ 
msg, Msg] 


DA | 
Re es 
as 
fe sl 
fa 
Vee 
a 
awe 
ice 
aa 

x,DA,X,2,5 











cl trans 
81 





) trans — 
S81 
x,DA,x,FE Tx 


co 
m 


5,DA.x,.TEFx 
R,.DAWART Fx 





session 
msg] 
eee: = 
BESE 
faa 
p= 3 
Be 
be ee) 
aaa 
be 
1,DA4,4,5 
x,DA,x,x,2 
=a 
=a 
Pd 
Eee 
ee 
Sea 
eee 
eee 
aay 
x,DA,x,x,8 
ee 
hae 
a 


TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 








K,DA,x,5,% 


presen 
tation 
msg 
= 
eee 
Rees 
fin oe | 
hae 
Ri amas 
x.DA,x,3,x 






Table 2 







4,DA,X,3,x 






ei= Kd a — 






























mE ¢ : 3 
—~JPaeé a 
fom «= 
i) a 
Sl aa 
al Rel 4 
z. = 
SE a's 3 
Vi Se < 

_ 3 
5 2 
aa 
— | ms 
> Pr 
a 
cs 
S 
fx) g = 
eia's 
-4 
=) 
fhe - 7 bel 
r. 1 el ay bas! 
al : 5 
Ziss < < - 
a] ee q g g 
= SE - is id 

4f— = . « 

g $e < < 
& os a 3 
= 






RDA,X,x,% 






Tahle 2 











elie Ke SS 


81 


3DA 3,45 


Ea 2 
aaa 
meee 
ee 
eet 
[te ues! 
eas 
nae 
ee 
= 
are 
econ d 
4.DA,X,4,x 


te 


hos 
195 
196 
197:.DA.x.x, 
198 
199 
200 | 
201 
202 
203 
204 
p. 
? 

ain 
212 
213 


~) 














msg; 


2 
ve 


is 
4 
* 
< 
a 
La 


BLDA,X,5.x 
RADAR KK 


K.DA,1AN 





x,DA,,x.% 





x,DA.X,x,4 






KDA,x,x,% 






“ 
ae 
is 3 
< 
a 
= 


x.DA,x.R TF 


xDAXFF Tx 





8,DA,X,KK 

— 
as 
eae 





TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 









X,DA,X,x,% 

as 
aaa 
ae 
ae 
eae 
aime 
ae 
Eee 
oe | 
ae 


Table 2 






smase_ 
msg) 
=| 
Leena 
aa 
fe! 
am 
Fm oa 
aw 
Ie as eal 
eae ail 
Besa 
fee 
ae 
0,DA,x,4,% 
pe asl 
PR a ceal 
Baa 
= 
el 
fea 
ae 
| 
ieee! 
ae 
=z 
R,DA,x,x,% 


Pas] 
Ee) 
reel 
eel 
=| 
Co 
a 
ma 
ae 
| 
neal 
cae 
=a 
al 
a 
| 
ae 
ee 
a ei 
ae 
el 
aa 
aa 
Sa 
re 
ea 
| 
Pe 
ome 
ed 









82 









X,DA.x,x.% 


K.DA,X.x,% 
XDA,Xx,3 


] 

a 
ba 
al 
4 

A} 
ad 
$8 


2a 
aE 


= (| 
“ 
2 
< 
ral 
c 3 
¥ 
3 
rat 
hed 


ej 
“ ra 
< 
a 
oO STASIS S i fea a wtzIinmiwo N Wisi: | 
ejSiSjz of ey Lael Bae 20} og K1X| 20] = 


83 





a,DA,X,x,% 





XDA,X.xK 






x.DAAZFE Tx 
x. DAA TRE 


ted 
iy 
- 
“ 
< 
ray 
- 





X,DA,x,x,x 
XDA,X,x,% 
aDA,x,5,x 





TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 






x,DA,Xx,x.5 
XDA,EX,K 






Table 2 


















R.DA,K,X.x 
XDA, x4 


EE 


RDA,XALK 






x,DA.x,x,x 






ss 
a 
iy 
* 
< 
a 
” 


x,DA,x,.F.ET.x 





iss 
a 
& 
2 
a 
i; 





XDA,X,4,% 
ee 
Baden 
ae 
ee 
Es | 
mae 
aa 
pa 






TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 


Table 2 







,DA.x.%,5 
aa 


* * 
3 “ 
@ oo + 4 
gz A 4 
ge C3 
< 
< 
q 
S 
on och on 
od a ham bead bd 
SBER aR See 5 


84 


a 















x.DA,Xx,x,% 
RDA.X,RK 


x,.DA,x,x.% 


{ 

g 

Ss =— 
= 38 
cE 


ges 
PUUUETTTE 


t 
oe 


he 
ay WL OTE | OCI Col =F cl T™100T ON nN ~ 
I SIGS SES Al calealcal sl si SISi si ai si as 
ea ATCA CAL et cry ii aici an eben al ct) cv) (ea) Mea Ky 





x.DA,X,5,% 









co_trans 

msg) 
x,.DA,x.T.FFx 
x,DA,x RT Fx 














x,DA,4,3,% 


TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 


Table 2 










x,DA,4,x,4 
3,DA,x,4,5 


x,.DA,Xx,x,2% 












{ 
2 
is 
sg 


| 
35 
g 










co_trans_ 
msg; 
x.DA.x.FFT,x 





EST ao FOR THE OSI PROFILE (CONTINUED) 






T 






Table 2 






a7 
a 


86 








rod Fa 
41 Shs KI 







logical 







ogical t 






ate | 


TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 








Table 2 






De 
1 

























x,SAPETRF x 
x,2,SA,TEF,x 
X,x,SA.X,% 
x,4,SA,x,% 

4,5, SA.FTF,x 

1 SA FFT EF. 
a, SAFF,T,x 


T.x,SAFKRRT 
x,x,SA,u,x 





&,X,SA,X,x 











T.x,SA,x,x 


87 








CS ORES 





zg BIB 
8 





Eas RA Ee RE 


re Last Vs 


O8sm er 1) Osagsuesy 
Ojnqino 


(GA ANELNOO) @UWAOUd ISO AHL WOd AONANOGS DSAL +7 AIQe 


A 
& 
] 












Ogsar | 
teats ea13o] 338 









{ 
2 
a 
> 
‘e 
* 
a! 
a 


88 

















WL LAs 






APR 
s{g] S| ST&TS 


a 
a 


YES Vs Ye 


R}E 
Sl & 


rd Fal 





¥rysy'x 
YLSTAavs* 









ead Fo a 
alala a 





| 


Ownlaaw | 

















Sp “vedo feordoy oe Cy] Overswess 
3 129130] feaiZoy_age | - O$su . 
mat pranx freaps jx] aac oi ateansd yng3no 


((4NNLENOD) A WAOUd ISO AHL WOA AONANOAS LSAL *7 F198, 








89 









3S) BIB 8 ro} 
BES EBEEEEE als 













TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 


loutbufg} sts. «| private_ 
Transfero (1,2) | msgo |™S80 





° 
e 







Table 2 


aA SABA 





LSA FT TFR« 
3,3,5A,3,5 
x,SA.F TEx 
sSAFTTLEFs 
x,SA FTE Fx 
LSA FTE Ax 
RSAFTET Fx 
x SAF TFT Fx 
x SA FTA TEx 


£,2,SA,2,x 
x,3,SA.TFFx 


KR,SA.4,X 






5,x,SA,x,z 
X,X,5A,2,2 
X,5,5A,2,% 
x,x,SA,%,% 





























[——rrvsv | 4 _cl | 


O’sm} (Z'1) Osaysuesy, 
“sys | Oynquno 


(GANNILNOD) A 1dOUd ISO AHL YOd AONANOAS LSAL *7 A&h 























a Ree ee ee ees es ees eee ee 

See ee es) ee Ee ees as SS ee erLavses sar 
Ba Ee ee Sees Pee eee Rs ey ees 

a a a eT ae ail ee aes See ee a | 
EE cs ec | 
PC fo tt rye oa SST 
SN CN NN NNN Cox cn RM; ss 28 | 
2 es sO US Cocos eek SL | 
SS GS SO GN Cc ee 608 | 
a ae a es es ee ee a es ee ee eee | 
ES Ds RS MS I cD O18 | 
i ee ee ee a 
ane ee eee ees ee Es ee ee LYt |] 
ee Sl DR SAC SE RA SSS a OTN RAC TO ee 2 
es ae es ey eee ee Ps es | 
EE SO ON Fe eR 2 28 | 
CN RS NS (RS Foc «2 | 
——} +} + —_7 5 = rirslivss [oa cri] 
[ae (Rigems Ree er (ees) (ee Ef vss | oa ey 
ae SC | 
—} jp}, pf 
ees eee, Gee) Cees Pee! Se | 
LS SS ss ee ee Es ei 
ae Ee a ey a EE a (aes ee a es ee | 
a ee I eee od Sel | 
a A Se | 
PTC (‘i iT Ol UTC a J rrsravss [sa ei | 
TC ft vss a cet ff 
ES SS | 
See a eee! eee a ae es a) aS Ee ee 
ee ES A SY SS ES Se a Fe 

~aeatid 


1 


9 








SAU ET eT 


= 
ie) 
=) 
2 
fo 
Zz 
-) 
J 
<a) 
= 
fale 
o 
4 
i-¥) 
7 
o 
<>} 
= 
at 
4 
© 
<a 
bad 
OF 
Ze 
3) 
oy 
o 
25) 
Nn 
i 
DM 
<3) 
~ 


Table 2 
fo] Sts_ 


loutbuf, 
(1,2) 


1 SAF. TEET.x 
x,SA.ET.RET,x 
1,5,SA,FFT,x 

x,SA TTF. 
SA TTF x 
x SATU TRE & 
x,4,SA,TEF,x 

x,SA,T,T.T.FF,x 
a SA TTF Fx 
3,SA TT TBF x 
a,SA.ET Fx 


Transfero 











SEIS 











eee) ee Ree ee ee a es es es 

a Re Ge, Dee Ds DS SS Se 

as ees ee Pe ee ee I ee 

a a a fT 

ee a a) ee ee ee ees ae ee 

2 ae ee ee ee Ieee es aes es 

Ca Fee (Ge) Ss a NS ee ee ee Ee 

a a ae ee 

sea) (RET eee) eee eee De) ee a Fe 

Se ee ee 

ee ea ere ie AE ees a ee 

ff +f +} —+—} 

aie (aes eS ees es ee es 

ry eae Dee eee GA) ees Res a See 

ee Taree; eee RAO Es (es ee ee We es 

Ce (a) EE (ed ee Mee as ee) 

CaS; eat PS a! Sal Cees ae Dee ee Ee 

Pas SST ee eee Ee (eee eae Ree eee 

eae A ER eT a Se ieee eel ee 

7 Ee es Se ee a a ee 

Se Re ae RT ae ee lees Ee 

i (ee, Rees eel See ee Re eee 

ae AEA, RARER CERN SRD PR ee ER FN I) | 
i tvs Td 507 I 
ES RE A PS NS PO OO sd a ee | 
ee | el | 
a aaa eae, PEM Pee a eee ee Pees! a) Re eee 
po} ft avs Ld Lol | 
nn a 
a arivss | 3d Sol ff 
SN SE NN Ee ae Ee SELLS? rt 
EE SS SS DS 

















Ofsu} O8sur | 
~yearsoy ee | aye 








Ossu| C8") (ZT) aed a 
“ayeausd| = S¥S | Ogn'quno 


(Q4HNNILNOO) A140Ud ISO FHL YOA TONANOGS LSA *7 Age b 





93 

























































Be Ee ee na ees eee a Ras ER | 
ee es ee es es ee eS ee es | 
Pa niivs 4 | 
a rrvs¥x [oa tse 
RR CR ES veysYs [9d CSC 
ES DS SS | 
SS NS SS ES ES NS ES | 
Ce | | ae S74 | 
ES SS ES cs | 
eT fe oo is od ie] 
RE ES RS Ec | 
RS RT (ee a a a 
ES NE RS SS NN << a 274 | 
CT fr a oa tre 
SS SS RS | 
RS EE RS RS SS OU NEE (<< S| 
PT fr evs oa re 
ES EE SE SS SR (GES <<< =< Ek MS 5% | 
SS NS MS RS NS ES <a RS 14 | 
As 4 | 
Se ce 4 | 
PT a “a f rrriivs 

ES 

PT —O——sCCf tf t—i dC 
ES RS RS RS NS F< Sc <4 | 
pe Tf tse a_i 
ES | 
a Pe RE ee CA ee ee | 
RS SS ES CS NS NS ES NS <M 22 | 
ES ES ES RS ES SS ES SS ES Fe 7 | 
EE RS GS NN 2 | 
Ee a SS ee es eee Se ee A) GEE reLtLivs® | oda $cc ff 

0 
gsu dew ce 
sis 


3d od | 
Ogsm}  (z‘]) Ojajsueay 
“sys [Oynqyno 


((4NNIINOO) F1AOUd ISO AHL Od FONANOAS LSAL *7 Ag8L 





| 
> 
c 
a 








94 





a 8]a] afayals ra} B=) Wr) B30 1B) BF EB 
B Byapara ro) #-} B=} 0) B) Fd Fs 


3] 3] shoo] |] 3] 8] 8] 8} 8] 2) co] |] 8] 8 
1 §/8] SIS (SIS SISISIN SISISISL S12 














logical logical 






ate_I 





TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 








Table 2 





Dc 


DC 









DC 
DC 
Dc 














x,SA,T.TFET.x 
x,SA.T.TFFT.x 
2,SA,T,. TEE T,x 
a SA TEER s 


Pst Fs 
Li 
iz es 
ast Ie! ede 
Ls ie’ a) ts 
<i < Bie 
aia <i < 
le] ied “aa 
Lt imal ai 


rs 
* fe 
< < 
a a 
Ls = 
= = 


wy 

al 
" ee rs 
< ele < 
“nA <i< “a 
* ala 4 
Lt ai Lad 


4,X,SA,X,% 
x,3,S5A,x,% 






z 





95 








LAT VS Ed 
rvyexr 


be 
a 


7 
8 


reygnr 


& 
af 


rx'yg x 
YP LAT VS* 
PLA Vvs'* 


iS) 
= 


J F-) f= Be 
slaaleiasiiz 


relat vss od 
THELIST vst 


rrysr'r 


a 


at x 


od 


re LITL Vs'* 
ra LTTL vss 
Al 


rrys rx 
YLTTVS 3X 
fod Od | LAL vst 


_ O8su| Oss} 6 O3su ‘ 
ALIG Jt) . 


(GQ4NNIINOD) AMAOUd ISO AHL YOd AONANOAS LSAL ‘7 Ge 


| 


w 
Nn 
N 


8 
a 


8 
N 
S\N 
N 


Oo 
og 


a 
a 



















TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 






° 
e 







Table 2 
Sts_ 
MS£0 


Oo 


bc 10 





loutbuf, 
(1,2) 


x,SA,.TEEF,T,x 
2 SA TREE T2 
3,5,SA,X,x 
%,x,SA,T.FF,x 
ASAT RFE Tx 
1,SA TE EFT,x 
Kx, SAF TF x 
a SA TF EFTx 
4,SA,. TF EF T,x 





Transferg 
XR,SA2,x 
3,1,5A,4,3 
X,5,SA,1,5 
42,SA,x,2 

























TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 





Table 2 















Table 2: TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 














_ =| In f— = = Oo -—|— - _ 





co_trans_ cl_trans_ eslis_ | isis | clap 
MS£o Msgp MSZo msgy msg, 








Table 2: TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 


100 












Ease =|= = = = = c= 
- l= 


° 
if 


| a! sx 
$39 
be? 


co_trans_ 







—— 2: TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 
= 
= 


Aa 


— 


101 












Table 2: TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 


Q 
ro] Imes 
2} 35/2 SY AISI 


102 


28 





é 


a) 
jeay 
= 
Z 
Loe 
= 
Z 
5 
2 
ia 
—! 
— 
ies 
a) 
4 
9 
— 
MN 
fo) 
Ged 
a 
= 
me 
=) 
<a 
ta 
O 
Zz 
a 
= 
=) 
es 
N 
= 
MN 
<a) 
= 
ei 
2 
| 
e 


N a Olt co 00 
= —_= =—i ow am 


















) 
iJ BO ain ~ wm ~ a) 00 


1 OIA) oI — fea) bog Wl moat oS fo] 
© © .) =) Ss To ~ls ™]™~Ie~-]T™1 col oo OO) = Re’) 
hss Ce) Kamm! on Tome Pad Meee) Cond Komet = 


104 


hore os 


session 

pe 
aaa 
| 
=z 
= ———] 
== 
Ve 
foe So 
pS 
= 
ee 
ee) 
ea 
| 
a) 
ae td 
| 
aa 
| 2 | 
z= 
maeae, 
= 
a 
ea 
Sa 
bea 
aa 
mea 
| 2 
aa 
=a 
si 


Table 2: TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 


=0 


presen 
tatio 
msg 





acse |smase_ cmise | rose 
MSZo |MSZo | SEO | Msg 

















cl_trans_ 

ms 
eee 
aie) 
eae 
a 
Eee 
Ne ee 
ee te 
es] 
ph reo 
ao 
ee 
eel 
eas 
ee gee 
=a 
aes 
ae 
Saas 
eee ay 
eee 
eae ed 
ee a 
eer 
aaa 
ae 





session |CO_trans_ 


Table 2: TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 






resen 


tation 
MSO 









rose 


smase_ cmise 
nes Msgo | ™S80 | msgo 


NEC 
LILLIE esd teblt abet 
ONES CECE CNT QUEL CNICUI CNT OC Ci CY Mil Ci CY 


520 


a 











cl_trans es/is ; il 
— a is/is cinp_ Cc 
sco fa | SS 


co trans 
mé¢ a 


a 
baled 
=) 
z 
i 
Zz. 
° 
LY 
ied 
= 
fle 
=I 
-¥ 
—_ 
7) 
o 
bad 
ee 
~ 
om 
o 
falag 
<3) 
Ss) 
zZ. 
<3 
=) 
o 
<>) 
a 
fone 
K 
baked 
i 


Table 2: 
Z session 
g MSE 






















=) 
Pa hb). bab] asd pout bal 5 ~ 2 pi ~ ft wil [elolr 


AUT 


g 


a2 
28 
ef 

ef 


a 
52 
sé 
=] 
5 


z 
25 


re) 


ATS =) Ip bod ba) tT] 90 SiS 20) 
a & . ~ ati ~~ ~ =~ ~ ~ ~ ~ =~ ~ ~ ~ ES 


107 


E (CONTINUED) 






resen 
gon 


Table 2: TEST SEQUENCE FOR “= OSI PROFIL 


asia 


272 
273 





Table 2: TEST SEQUENCE FOR THE OSI PROFILE (CONTINUED) 


cl_trans 
MS£Q 


o_trans 
MSZ0 


session | 
mMsgv_ ~|™S£0 
| 


= 


108 







Table 2: TEST SEQUENCE FOR THE OSI PROFILE (CONTIN 






a& = 
bal Pa 
SRIEE ealoal olenical inl oleniont Al Al ALALAL AL AL AL Al Ale: 


109 


a3 





as 
3s 

( 

ag |} 
Pa: 


5 
sf 
Z 
a 


| 
FF | 
i =| 


ve 
a 
° 
= 


a 
= 
>) 
Zz 
aa 
Zz 
~) 
Y 
<a 
= 
cs 
Z 
i-® 
| eal 
n 
co) 
eo 
Pe} 
ft 
a7 
=) 
ies 
<3] 
S) 
Zz. 
>] 
= 
Oo 
<>) 


fe 2: TEST S 








[ANNA88] 


[FINL84] 


(GREE89}] 


[HDBK92] 


[IFOC83] 


[1S08073] 


[JOHN87} 


[KIMB89] 


{KOCH91] 


[L11983] 


[LUND91] 


{[MILL90] 


LIST OF REFERENCES 


Annamalai, K., “FDDI Physical Layer Implementation Considerations,” 
Proceedings of SPIE Fiber Optic Datacom and Computer Networks, vol. 
991, International Society for Optical Engineering, Bellingham, WA., 1988. 


Finley, M.R., “Optical Fibers in Local Area Communications,” IEEE 
Communication Magazine, Volume 22, No. 8, Aug. 1984. 


Green, D.T. and D.T. Marlow, “SAFENET - A LAN for Navy Mission 
Critical Systems,” Proc. 14th Conf. Local Computer Networks, Minneapolis, 
MN, pp. 340-346, Oct. 1989. 


Military Handbook, “Survivable Adaptable Fiber Optic Embedded Network 
(SAFENET),” Sep. 1992, Naval Ocean Systems Center, MIL-HDBK-2204. 


International Fiber Optics and Communications 1983-84 Handbook and 
Buyers Guide, Volume V, published by Information Gatekeepers, Inc. 


ISO 8073,“Information Processing Systems - Open Systems Interconnection- 
Connection Oriented Transport Protocol Specification,” 1986. 


Johnson, R.A. and R.C. Stewart, “Implementation of Fiber Optics in U.S. 
Naval Combatants,” Proc. SPIE, vol 840, pp. 80-93, Aug. 20-21 1987. 


Kimball, Robert M., “Optical Performance models for FDDI Links,” 
Proceedings of SPIE Fiber Networking and Telecommunications, vol. 1179, 
International Society for Optical Engineering, Bellingham, WA., 1989. 


Kochanski, R.J. and J.L. Paige, “SAFENET: The Standard and Its 
Application,” IEEE LCS, Feb. 1991, Vol. 2, No. 1, pp. 46-51. 


Li, T., “Advances in optical fiber communications: an historical perspective,” 
IEEE J. Select. Areas commun., SAC - 1, no. 3, pp. 356-372, Apr. 1983. 


Lundy, G.M., “Improving Throughput in the FDDI Token Ring Network,” 
Proc. of the Second International Workshop on Protocols for High-Speed 
Networks, IFIP, North Holland, 1991. 


Miller, R.E. and G.M. Lundy, “Testing Protocol Implementations Based on a 
Formal Specification,” Proc. of the Third International Workshop on 
Protocol Test Systems, IFIP, North Holland, Oct. 1990. 


111 








[PAIG90] 


[ROSS89] 


[STAL88] 


Paige, J.L. and E.A. Howard “SAFENET II - The Navy’s - FDDI based 
computer network standard,” Proceedings of SPIE Campus-Wide, and 
Metropolitan Area Networks, vol 1364, International Society for Optical 
Engineering, Bellingham, WA., 1990. 


Ross, F.E., “An Overview of FDDI: The Fiber Distributed Data Interface,” 
IEEE Journal on Selected Areas in Communications, Sep. 1989. 


Stallings, William, Data and Computer Communications, Macmillan 
Publishing Company, New York, NY, 1988. 


112 




















INITIAL DISTRIBUTION LIST 


Defense Technical Information Center 2 
Cameron Station 
Alexandria, VA 22304-6145 


Dudley Knox Library 2 
Code 52 

Naval Postgraduate School 

Monterey,CA 93943-5002 


Chairman, Code CS 2 
Computer Science Department 

Naval Postgraduate School 

Monterey,CA 93943 


Dr. G. M. Lundy 3 
Computer Science Department, Code CSLn 

Naval Postgraduate School 

Monterey, CA 93943 


Prof. L. Stevens a l 
Computer Science Department, Code CSSt 

Naval Postgraduate School 

Monterey,CA 93943 


LT. Wayne High 2 
Rte. 1 Box 99A 
Eutawville, SC 29048 


CDR. Greg Sawyer I 
SPAWAR SYSCOM, Code 2312 

5 Crystal Park 

Washington,DC 20363 








